nextcloud / server

apps/provisioning_api/lib/Controller/UsersController.php

Indentation +826 added lines, -826 removed lines

@@ -53,830 +53,830 @@
 
 class UsersController extends OCSController {
 
-	/** @var IUserManager */
-	private $userManager;
-	/** @var IConfig */
-	private $config;
-	/** @var IAppManager */
-	private $appManager;
-	/** @var IGroupManager|\OC\Group\Manager */ // FIXME Requires a method that is not on the interface
-	private $groupManager;
-	/** @var IUserSession */
-	private $userSession;
-	/** @var AccountManager */
-	private $accountManager;
-	/** @var ILogger */
-	private $logger;
-	/** @var IFactory */
-	private $l10nFactory;
-	/** @var NewUserMailHelper */
-	private $newUserMailHelper;
-	/** @var FederatedFileSharingFactory */
-	private $federatedFileSharingFactory;
-
-	/**
-	 * @param string $appName
-	 * @param IRequest $request
-	 * @param IUserManager $userManager
-	 * @param IConfig $config
-	 * @param IAppManager $appManager
-	 * @param IGroupManager $groupManager
-	 * @param IUserSession $userSession
-	 * @param AccountManager $accountManager
-	 * @param ILogger $logger
-	 * @param IFactory $l10nFactory
-	 * @param NewUserMailHelper $newUserMailHelper
-	 * @param FederatedFileSharingFactory $federatedFileSharingFactory
-	 */
-	public function __construct(string $appName,
-								IRequest $request,
-								IUserManager $userManager,
-								IConfig $config,
-								IAppManager $appManager,
-								IGroupManager $groupManager,
-								IUserSession $userSession,
-								AccountManager $accountManager,
-								ILogger $logger,
-								IFactory $l10nFactory,
-								NewUserMailHelper $newUserMailHelper,
-								FederatedFileSharingFactory $federatedFileSharingFactory) {
-		parent::__construct($appName, $request);
-
-		$this->userManager = $userManager;
-		$this->config = $config;
-		$this->appManager = $appManager;
-		$this->groupManager = $groupManager;
-		$this->userSession = $userSession;
-		$this->accountManager = $accountManager;
-		$this->logger = $logger;
-		$this->l10nFactory = $l10nFactory;
-		$this->newUserMailHelper = $newUserMailHelper;
-		$this->federatedFileSharingFactory = $federatedFileSharingFactory;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 *
-	 * returns a list of users
-	 *
-	 * @param string $search
-	 * @param int $limit
-	 * @param int $offset
-	 * @return DataResponse
-	 */
-	public function getUsers(string $search = '', $limit = null, $offset = null): DataResponse {
-		$user = $this->userSession->getUser();
-		$users = [];
-
-		// Admin? Or SubAdmin?
-		$uid = $user->getUID();
-		$subAdminManager = $this->groupManager->getSubAdmin();
-		if($this->groupManager->isAdmin($uid)){
-			$users = $this->userManager->search($search, $limit, $offset);
-		} else if ($subAdminManager->isSubAdmin($user)) {
-			$subAdminOfGroups = $subAdminManager->getSubAdminsGroups($user);
-			foreach ($subAdminOfGroups as $key => $group) {
-				$subAdminOfGroups[$key] = $group->getGID();
-			}
-
-			if($offset === null) {
-				$offset = 0;
-			}
-
-			$users = [];
-			foreach ($subAdminOfGroups as $group) {
-				$users = array_merge($users, $this->groupManager->displayNamesInGroup($group, $search));
-			}
-
-			$users = array_slice($users, $offset, $limit);
-		}
-
-		$users = array_keys($users);
-
-		return new DataResponse([
-			'users' => $users
-		]);
-	}
-
-	/**
-	 * @PasswordConfirmationRequired
-	 * @NoAdminRequired
-	 *
-	 * @param string $userid
-	 * @param string $password
-	 * @param array $groups
-	 * @return DataResponse
-	 * @throws OCSException
-	 */
-	public function addUser(string $userid, string $password, array $groups = []): DataResponse {
-		$user = $this->userSession->getUser();
-		$isAdmin = $this->groupManager->isAdmin($user->getUID());
-		$subAdminManager = $this->groupManager->getSubAdmin();
-
-		if($this->userManager->userExists($userid)) {
-			$this->logger->error('Failed addUser attempt: User already exists.', ['app' => 'ocs_api']);
-			throw new OCSException('User already exists', 102);
-		}
-
-		if($groups !== []) {
-			foreach ($groups as $group) {
-				if(!$this->groupManager->groupExists($group)) {
-					throw new OCSException('group '.$group.' does not exist', 104);
-				}
-				if(!$isAdmin && !$subAdminManager->isSubAdminofGroup($user, $this->groupManager->get($group))) {
-					throw new OCSException('insufficient privileges for group '. $group, 105);
-				}
-			}
-		} else {
-			if(!$isAdmin) {
-				throw new OCSException('no group specified (required for subadmins)', 106);
-			}
-		}
-
-		try {
-			$newUser = $this->userManager->createUser($userid, $password);
-			$this->logger->info('Successful addUser call with userid: ' . $userid, ['app' => 'ocs_api']);
-
-			foreach ($groups as $group) {
-				$this->groupManager->get($group)->addUser($newUser);
-				$this->logger->info('Added userid ' . $userid . ' to group ' . $group, ['app' => 'ocs_api']);
-			}
-
-			return new DataResponse();
-		} catch (HintException $e ) {
-			$this->logger->logException($e, [
-				'message' => 'Failed addUser attempt with hint exception.',
-				'level' => \OCP\Util::WARN,
-				'app' => 'ocs_api',
-			]);
-			throw new OCSException($e->getHint(), 107);
-		} catch (\Exception $e) {
-			$this->logger->logException($e, [
-				'message' => 'Failed addUser attempt with exception.',
-				'level' => \OCP\Util::ERROR,
-				'app' => 'ocs_api',
-			]);
-			throw new OCSException('Bad request', 101);
-		}
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoSubAdminRequired
-	 *
-	 * gets user info
-	 *
-	 * @param string $userId
-	 * @return DataResponse
-	 * @throws OCSException
-	 */
-	public function getUser(string $userId): DataResponse {
-		$data = $this->getUserData($userId);
-		return new DataResponse($data);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoSubAdminRequired
-	 *
-	 * gets user info from the currently logged in user
-	 *
-	 * @return DataResponse
-	 * @throws OCSException
-	 */
-	public function getCurrentUser(): DataResponse {
-		$user = $this->userSession->getUser();
-		if ($user) {
-			$data =  $this->getUserData($user->getUID());
-			// rename "displayname" to "display-name" only for this call to keep
-			// the API stable.
-			$data['display-name'] = $data['displayname'];
-			unset($data['displayname']);
-			return new DataResponse($data);
-
-		}
-
-		throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
-	}
-
-	/**
-	 * creates a array with all user data
-	 *
-	 * @param $userId
-	 * @return array
-	 * @throws OCSException
-	 */
-	protected function getUserData(string $userId): array {
-		$currentLoggedInUser = $this->userSession->getUser();
-
-		$data = [];
-
-		// Check if the target user exists
-		$targetUserObject = $this->userManager->get($userId);
-		if($targetUserObject === null) {
-			throw new OCSException('The requested user could not be found', \OCP\API::RESPOND_NOT_FOUND);
-		}
-
-		// Admin? Or SubAdmin?
-		if($this->groupManager->isAdmin($currentLoggedInUser->getUID())
-			|| $this->groupManager->getSubAdmin()->isUserAccessible($currentLoggedInUser, $targetUserObject)) {
-			$data['enabled'] = $this->config->getUserValue($targetUserObject->getUID(), 'core', 'enabled', 'true');
-		} else {
-			// Check they are looking up themselves
-			if($currentLoggedInUser->getUID() !== $targetUserObject->getUID()) {
-				throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
-			}
-		}
-
-		$userAccount = $this->accountManager->getUser($targetUserObject);
-		$groups = $this->groupManager->getUserGroups($targetUserObject);
-		$gids = [];
-		foreach ($groups as $group) {
-			$gids[] = $group->getDisplayName();
-		}
-
-		// Find the data
-		$data['id'] = $targetUserObject->getUID();
-		$data['quota'] = $this->fillStorageInfo($targetUserObject->getUID());
-		$data[AccountManager::PROPERTY_EMAIL] = $targetUserObject->getEMailAddress();
-		$data[AccountManager::PROPERTY_DISPLAYNAME] = $targetUserObject->getDisplayName();
-		$data[AccountManager::PROPERTY_PHONE] = $userAccount[AccountManager::PROPERTY_PHONE]['value'];
-		$data[AccountManager::PROPERTY_ADDRESS] = $userAccount[AccountManager::PROPERTY_ADDRESS]['value'];
-		$data[AccountManager::PROPERTY_WEBSITE] = $userAccount[AccountManager::PROPERTY_WEBSITE]['value'];
-		$data[AccountManager::PROPERTY_TWITTER] = $userAccount[AccountManager::PROPERTY_TWITTER]['value'];
-		$data['groups'] = $gids;
-		$data['language'] = $this->config->getUserValue($targetUserObject->getUID(), 'core', 'lang');
-
-		return $data;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoSubAdminRequired
-	 */
-	public function getEditableFields(): DataResponse {
-		$permittedFields = [];
-
-		// Editing self (display, email)
-		if ($this->config->getSystemValue('allow_user_to_change_display_name', true) !== false) {
-			$permittedFields[] = AccountManager::PROPERTY_DISPLAYNAME;
-			$permittedFields[] = AccountManager::PROPERTY_EMAIL;
-		}
-
-		if ($this->appManager->isEnabledForUser('federatedfilesharing')) {
-			$federatedFileSharing = $this->federatedFileSharingFactory->get();
-			$shareProvider = $federatedFileSharing->getFederatedShareProvider();
-			if ($shareProvider->isLookupServerUploadEnabled()) {
-				$permittedFields[] = AccountManager::PROPERTY_PHONE;
-				$permittedFields[] = AccountManager::PROPERTY_ADDRESS;
-				$permittedFields[] = AccountManager::PROPERTY_WEBSITE;
-				$permittedFields[] = AccountManager::PROPERTY_TWITTER;
-			}
-		}
-
-		return new DataResponse($permittedFields);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoSubAdminRequired
-	 * @PasswordConfirmationRequired
-	 *
-	 * edit users
-	 *
-	 * @param string $userId
-	 * @param string $key
-	 * @param string $value
-	 * @return DataResponse
-	 * @throws OCSException
-	 */
-	public function editUser(string $userId, string $key, string $value): DataResponse {
-		$currentLoggedInUser = $this->userSession->getUser();
-
-		$targetUser = $this->userManager->get($userId);
-		if($targetUser === null) {
-			throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
-		}
-
-		$permittedFields = [];
-		if($targetUser->getUID() === $currentLoggedInUser->getUID()) {
-			// Editing self (display, email)
-			if ($this->config->getSystemValue('allow_user_to_change_display_name', true) !== false) {
-				$permittedFields[] = 'display';
-				$permittedFields[] = AccountManager::PROPERTY_DISPLAYNAME;
-				$permittedFields[] = AccountManager::PROPERTY_EMAIL;
-			}
-
-			$permittedFields[] = 'password';
-			if ($this->config->getSystemValue('force_language', false) === false ||
-				$this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
-				$permittedFields[] = 'language';
-			}
-
-			if ($this->appManager->isEnabledForUser('federatedfilesharing')) {
-				$federatedFileSharing = new \OCA\FederatedFileSharing\AppInfo\Application();
-				$shareProvider = $federatedFileSharing->getFederatedShareProvider();
-				if ($shareProvider->isLookupServerUploadEnabled()) {
-					$permittedFields[] = AccountManager::PROPERTY_PHONE;
-					$permittedFields[] = AccountManager::PROPERTY_ADDRESS;
-					$permittedFields[] = AccountManager::PROPERTY_WEBSITE;
-					$permittedFields[] = AccountManager::PROPERTY_TWITTER;
-				}
-			}
-
-			// If admin they can edit their own quota
-			if($this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
-				$permittedFields[] = 'quota';
-			}
-		} else {
-			// Check if admin / subadmin
-			$subAdminManager = $this->groupManager->getSubAdmin();
-			if($subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)
-			|| $this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
-				// They have permissions over the user
-				$permittedFields[] = 'display';
-				$permittedFields[] = AccountManager::PROPERTY_DISPLAYNAME;
-				$permittedFields[] = AccountManager::PROPERTY_EMAIL;
-				$permittedFields[] = 'password';
-				$permittedFields[] = 'language';
-				$permittedFields[] = AccountManager::PROPERTY_PHONE;
-				$permittedFields[] = AccountManager::PROPERTY_ADDRESS;
-				$permittedFields[] = AccountManager::PROPERTY_WEBSITE;
-				$permittedFields[] = AccountManager::PROPERTY_TWITTER;
-				$permittedFields[] = 'quota';
-			} else {
-				// No rights
-				throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
-			}
-		}
-		// Check if permitted to edit this field
-		if(!in_array($key, $permittedFields)) {
-			throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
-		}
-		// Process the edit
-		switch($key) {
-			case 'display':
-			case AccountManager::PROPERTY_DISPLAYNAME:
-				$targetUser->setDisplayName($value);
-				break;
-			case 'quota':
-				$quota = $value;
-				if($quota !== 'none' && $quota !== 'default') {
-					if (is_numeric($quota)) {
-						$quota = (float) $quota;
-					} else {
-						$quota = \OCP\Util::computerFileSize($quota);
-					}
-					if ($quota === false) {
-						throw new OCSException('Invalid quota value '.$value, 103);
-					}
-					if($quota === 0) {
-						$quota = 'default';
-					}else if($quota === -1) {
-						$quota = 'none';
-					} else {
-						$quota = \OCP\Util::humanFileSize($quota);
-					}
-				}
-				$targetUser->setQuota($quota);
-				break;
-			case 'password':
-				$targetUser->setPassword($value);
-				break;
-			case 'language':
-				$languagesCodes = $this->l10nFactory->findAvailableLanguages();
-				if (!in_array($value, $languagesCodes, true) && $value !== 'en') {
-					throw new OCSException('Invalid language', 102);
-				}
-				$this->config->setUserValue($targetUser->getUID(), 'core', 'lang', $value);
-				break;
-			case AccountManager::PROPERTY_EMAIL:
-				if(filter_var($value, FILTER_VALIDATE_EMAIL)) {
-					$targetUser->setEMailAddress($value);
-				} else {
-					throw new OCSException('', 102);
-				}
-				break;
-			case AccountManager::PROPERTY_PHONE:
-			case AccountManager::PROPERTY_ADDRESS:
-			case AccountManager::PROPERTY_WEBSITE:
-			case AccountManager::PROPERTY_TWITTER:
-				$userAccount = $this->accountManager->getUser($targetUser);
-				if ($userAccount[$key]['value'] !== $value) {
-					$userAccount[$key]['value'] = $value;
-					$this->accountManager->updateUser($targetUser, $userAccount);
-				}
-				break;
-			default:
-				throw new OCSException('', 103);
-		}
-		return new DataResponse();
-	}
-
-	/**
-	 * @PasswordConfirmationRequired
-	 * @NoAdminRequired
-	 *
-	 * @param string $userId
-	 * @return DataResponse
-	 * @throws OCSException
-	 */
-	public function deleteUser(string $userId): DataResponse {
-		$currentLoggedInUser = $this->userSession->getUser();
-
-		$targetUser = $this->userManager->get($userId);
-
-		if($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) {
-			throw new OCSException('', 101);
-		}
-
-		// If not permitted
-		$subAdminManager = $this->groupManager->getSubAdmin();
-		if(!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
-			throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
-		}
-
-		// Go ahead with the delete
-		if($targetUser->delete()) {
-			return new DataResponse();
-		} else {
-			throw new OCSException('', 101);
-		}
-	}
-
-	/**
-	 * @PasswordConfirmationRequired
-	 * @NoAdminRequired
-	 *
-	 * @param string $userId
-	 * @return DataResponse
-	 * @throws OCSException
-	 * @throws OCSForbiddenException
-	 */
-	public function disableUser(string $userId): DataResponse {
-		return $this->setEnabled($userId, false);
-	}
-
-	/**
-	 * @PasswordConfirmationRequired
-	 * @NoAdminRequired
-	 *
-	 * @param string $userId
-	 * @return DataResponse
-	 * @throws OCSException
-	 * @throws OCSForbiddenException
-	 */
-	public function enableUser(string $userId): DataResponse {
-		return $this->setEnabled($userId, true);
-	}
-
-	/**
-	 * @param string $userId
-	 * @param bool $value
-	 * @return DataResponse
-	 * @throws OCSException
-	 */
-	private function setEnabled(string $userId, bool $value): DataResponse {
-		$currentLoggedInUser = $this->userSession->getUser();
-
-		$targetUser = $this->userManager->get($userId);
-		if($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) {
-			throw new OCSException('', 101);
-		}
-
-		// If not permitted
-		$subAdminManager = $this->groupManager->getSubAdmin();
-		if(!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
-			throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
-		}
-
-		// enable/disable the user now
-		$targetUser->setEnabled($value);
-		return new DataResponse();
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoSubAdminRequired
-	 *
-	 * @param string $userId
-	 * @return DataResponse
-	 * @throws OCSException
-	 */
-	public function getUsersGroups(string $userId): DataResponse {
-		$loggedInUser = $this->userSession->getUser();
-
-		$targetUser = $this->userManager->get($userId);
-		if($targetUser === null) {
-			throw new OCSException('', \OCP\API::RESPOND_NOT_FOUND);
-		}
-
-		if($targetUser->getUID() === $loggedInUser->getUID() || $this->groupManager->isAdmin($loggedInUser->getUID())) {
-			// Self lookup or admin lookup
-			return new DataResponse([
-				'groups' => $this->groupManager->getUserGroupIds($targetUser)
-			]);
-		} else {
-			$subAdminManager = $this->groupManager->getSubAdmin();
-
-			// Looking up someone else
-			if($subAdminManager->isUserAccessible($loggedInUser, $targetUser)) {
-				// Return the group that the method caller is subadmin of for the user in question
-				/** @var IGroup[] $getSubAdminsGroups */
-				$getSubAdminsGroups = $subAdminManager->getSubAdminsGroups($loggedInUser);
-				foreach ($getSubAdminsGroups as $key => $group) {
-					$getSubAdminsGroups[$key] = $group->getGID();
-				}
-				$groups = array_intersect(
-					$getSubAdminsGroups,
-					$this->groupManager->getUserGroupIds($targetUser)
-				);
-				return new DataResponse(['groups' => $groups]);
-			} else {
-				// Not permitted
-				throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
-			}
-		}
-
-	}
-
-	/**
-	 * @PasswordConfirmationRequired
-	 * @NoAdminRequired
-	 *
-	 * @param string $userId
-	 * @param string $groupid
-	 * @return DataResponse
-	 * @throws OCSException
-	 */
-	public function addToGroup(string $userId, string $groupid = ''): DataResponse {
-		if($groupid === '') {
-			throw new OCSException('', 101);
-		}
-
-		$group = $this->groupManager->get($groupid);
-		$targetUser = $this->userManager->get($userId);
-		if($group === null) {
-			throw new OCSException('', 102);
-		}
-		if($targetUser === null) {
-			throw new OCSException('', 103);
-		}
-
-		// If they're not an admin, check they are a subadmin of the group in question
-		$loggedInUser = $this->userSession->getUser();
-		$subAdminManager = $this->groupManager->getSubAdmin();
-		if (!$this->groupManager->isAdmin($loggedInUser->getUID()) && !$subAdminManager->isSubAdminOfGroup($loggedInUser, $group)) {
-			throw new OCSException('', 104);
-		}
-
-		// Add user to group
-		$group->addUser($targetUser);
-		return new DataResponse();
-	}
-
-	/**
-	 * @PasswordConfirmationRequired
-	 * @NoAdminRequired
-	 *
-	 * @param string $userId
-	 * @param string $groupid
-	 * @return DataResponse
-	 * @throws OCSException
-	 */
-	public function removeFromGroup(string $userId, string $groupid): DataResponse {
-		$loggedInUser = $this->userSession->getUser();
-
-		if($groupid === null || trim($groupid) === '') {
-			throw new OCSException('', 101);
-		}
-
-		$group = $this->groupManager->get($groupid);
-		if($group === null) {
-			throw new OCSException('', 102);
-		}
-
-		$targetUser = $this->userManager->get($userId);
-		if($targetUser === null) {
-			throw new OCSException('', 103);
-		}
-
-		// If they're not an admin, check they are a subadmin of the group in question
-		$subAdminManager = $this->groupManager->getSubAdmin();
-		if (!$this->groupManager->isAdmin($loggedInUser->getUID()) && !$subAdminManager->isSubAdminOfGroup($loggedInUser, $group)) {
-			throw new OCSException('', 104);
-		}
-
-		// Check they aren't removing themselves from 'admin' or their 'subadmin; group
-		if ($targetUser->getUID() === $loggedInUser->getUID()) {
-			if ($this->groupManager->isAdmin($loggedInUser->getUID())) {
-				if ($group->getGID() === 'admin') {
-					throw new OCSException('Cannot remove yourself from the admin group', 105);
-				}
-			} else {
-				// Not an admin, so the user must be a subadmin of this group, but that is not allowed.
-				throw new OCSException('Cannot remove yourself from this group as you are a SubAdmin', 105);
-			}
-
-		} else if (!$this->groupManager->isAdmin($loggedInUser->getUID())) {
-			/** @var IGroup[] $subAdminGroups */
-			$subAdminGroups = $subAdminManager->getSubAdminsGroups($loggedInUser);
-			$subAdminGroups = array_map(function (IGroup $subAdminGroup) {
-				return $subAdminGroup->getGID();
-			}, $subAdminGroups);
-			$userGroups = $this->groupManager->getUserGroupIds($targetUser);
-			$userSubAdminGroups = array_intersect($subAdminGroups, $userGroups);
-
-			if (count($userSubAdminGroups) <= 1) {
-				// Subadmin must not be able to remove a user from all their subadmin groups.
-				throw new OCSException('Cannot remove user from this group as this is the only remaining group you are a SubAdmin of', 105);
-			}
-		}
-
-		// Remove user from group
-		$group->removeUser($targetUser);
-		return new DataResponse();
-	}
-
-	/**
-	 * Creates a subadmin
-	 *
-	 * @PasswordConfirmationRequired
-	 *
-	 * @param string $userId
-	 * @param string $groupid
-	 * @return DataResponse
-	 * @throws OCSException
-	 */
-	public function addSubAdmin(string $userId, string $groupid): DataResponse {
-		$group = $this->groupManager->get($groupid);
-		$user = $this->userManager->get($userId);
-
-		// Check if the user exists
-		if($user === null) {
-			throw new OCSException('User does not exist', 101);
-		}
-		// Check if group exists
-		if($group === null) {
-			throw new OCSException('Group does not exist',  102);
-		}
-		// Check if trying to make subadmin of admin group
-		if($group->getGID() === 'admin') {
-			throw new OCSException('Cannot create subadmins for admin group', 103);
-		}
-
-		$subAdminManager = $this->groupManager->getSubAdmin();
-
-		// We cannot be subadmin twice
-		if ($subAdminManager->isSubAdminofGroup($user, $group)) {
-			return new DataResponse();
-		}
-		// Go
-		if($subAdminManager->createSubAdmin($user, $group)) {
-			return new DataResponse();
-		} else {
-			throw new OCSException('Unknown error occurred', 103);
-		}
-	}
-
-	/**
-	 * Removes a subadmin from a group
-	 *
-	 * @PasswordConfirmationRequired
-	 *
-	 * @param string $userId
-	 * @param string $groupid
-	 * @return DataResponse
-	 * @throws OCSException
-	 */
-	public function removeSubAdmin(string $userId, string $groupid): DataResponse {
-		$group = $this->groupManager->get($groupid);
-		$user = $this->userManager->get($userId);
-		$subAdminManager = $this->groupManager->getSubAdmin();
-
-		// Check if the user exists
-		if($user === null) {
-			throw new OCSException('User does not exist', 101);
-		}
-		// Check if the group exists
-		if($group === null) {
-			throw new OCSException('Group does not exist', 101);
-		}
-		// Check if they are a subadmin of this said group
-		if(!$subAdminManager->isSubAdminOfGroup($user, $group)) {
-			throw new OCSException('User is not a subadmin of this group', 102);
-		}
-
-		// Go
-		if($subAdminManager->deleteSubAdmin($user, $group)) {
-			return new DataResponse();
-		} else {
-			throw new OCSException('Unknown error occurred', 103);
-		}
-	}
-
-	/**
-	 * Get the groups a user is a subadmin of
-	 *
-	 * @param string $userId
-	 * @return DataResponse
-	 * @throws OCSException
-	 */
-	public function getUserSubAdminGroups(string $userId): DataResponse {
-		$user = $this->userManager->get($userId);
-		// Check if the user exists
-		if($user === null) {
-			throw new OCSException('User does not exist', 101);
-		}
-
-		// Get the subadmin groups
-		$subAdminGroups = $this->groupManager->getSubAdmin()->getSubAdminsGroups($user);
-		$groups = [];
-		foreach ($subAdminGroups as $key => $group) {
-			$groups[] = $group->getGID();
-		}
-
-		if(!$groups) {
-			throw new OCSException('Unknown error occurred', 102);
-		} else {
-			return new DataResponse($groups);
-		}
-	}
-
-	/**
-	 * @param string $userId
-	 * @return array
-	 * @throws \OCP\Files\NotFoundException
-	 */
-	protected function fillStorageInfo(string $userId): array {
-		try {
-			\OC_Util::tearDownFS();
-			\OC_Util::setupFS($userId);
-			$storage = OC_Helper::getStorageInfo('/');
-			$data = [
-				'free' => $storage['free'],
-				'used' => $storage['used'],
-				'total' => $storage['total'],
-				'relative' => $storage['relative'],
-				'quota' => $storage['quota'],
-			];
-		} catch (NotFoundException $ex) {
-			$data = [];
-		}
-		return $data;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @PasswordConfirmationRequired
-	 *
-	 * resend welcome message
-	 *
-	 * @param string $userId
-	 * @return DataResponse
-	 * @throws OCSException
-	 */
-	public function resendWelcomeMessage(string $userId): DataResponse {
-		$currentLoggedInUser = $this->userSession->getUser();
-
-		$targetUser = $this->userManager->get($userId);
-		if($targetUser === null) {
-			throw new OCSException('', \OCP\API::RESPOND_NOT_FOUND);
-		}
-
-		// Check if admin / subadmin
-		$subAdminManager = $this->groupManager->getSubAdmin();
-		if(!$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)
-			&& !$this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
-			// No rights
-			throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
-		}
-
-		$email = $targetUser->getEMailAddress();
-		if ($email === '' || $email === null) {
-			throw new OCSException('Email address not available', 101);
-		}
-		$username = $targetUser->getUID();
-		$lang = $this->config->getUserValue($username, 'core', 'lang', 'en');
-		if (!$this->l10nFactory->languageExists('settings', $lang)) {
-			$lang = 'en';
-		}
-
-		$l10n = $this->l10nFactory->get('settings', $lang);
-
-		try {
-			$this->newUserMailHelper->setL10N($l10n);
-			$emailTemplate = $this->newUserMailHelper->generateTemplate($targetUser, false);
-			$this->newUserMailHelper->sendMail($targetUser, $emailTemplate);
-		} catch(\Exception $e) {
-			$this->logger->logException($e, [
-				'message' => "Can't send new user mail to $email",
-				'level' => \OCP\Util::ERROR,
-				'app' => 'settings',
-			]);
-			throw new OCSException('Sending email failed', 102);
-		}
-
-		return new DataResponse();
-	}
+    /** @var IUserManager */
+    private $userManager;
+    /** @var IConfig */
+    private $config;
+    /** @var IAppManager */
+    private $appManager;
+    /** @var IGroupManager|\OC\Group\Manager */ // FIXME Requires a method that is not on the interface
+    private $groupManager;
+    /** @var IUserSession */
+    private $userSession;
+    /** @var AccountManager */
+    private $accountManager;
+    /** @var ILogger */
+    private $logger;
+    /** @var IFactory */
+    private $l10nFactory;
+    /** @var NewUserMailHelper */
+    private $newUserMailHelper;
+    /** @var FederatedFileSharingFactory */
+    private $federatedFileSharingFactory;
+
+    /**
+     * @param string $appName
+     * @param IRequest $request
+     * @param IUserManager $userManager
+     * @param IConfig $config
+     * @param IAppManager $appManager
+     * @param IGroupManager $groupManager
+     * @param IUserSession $userSession
+     * @param AccountManager $accountManager
+     * @param ILogger $logger
+     * @param IFactory $l10nFactory
+     * @param NewUserMailHelper $newUserMailHelper
+     * @param FederatedFileSharingFactory $federatedFileSharingFactory
+     */
+    public function __construct(string $appName,
+                                IRequest $request,
+                                IUserManager $userManager,
+                                IConfig $config,
+                                IAppManager $appManager,
+                                IGroupManager $groupManager,
+                                IUserSession $userSession,
+                                AccountManager $accountManager,
+                                ILogger $logger,
+                                IFactory $l10nFactory,
+                                NewUserMailHelper $newUserMailHelper,
+                                FederatedFileSharingFactory $federatedFileSharingFactory) {
+        parent::__construct($appName, $request);
+
+        $this->userManager = $userManager;
+        $this->config = $config;
+        $this->appManager = $appManager;
+        $this->groupManager = $groupManager;
+        $this->userSession = $userSession;
+        $this->accountManager = $accountManager;
+        $this->logger = $logger;
+        $this->l10nFactory = $l10nFactory;
+        $this->newUserMailHelper = $newUserMailHelper;
+        $this->federatedFileSharingFactory = $federatedFileSharingFactory;
+    }
+
+    /**
+     * @NoAdminRequired
+     *
+     * returns a list of users
+     *
+     * @param string $search
+     * @param int $limit
+     * @param int $offset
+     * @return DataResponse
+     */
+    public function getUsers(string $search = '', $limit = null, $offset = null): DataResponse {
+        $user = $this->userSession->getUser();
+        $users = [];
+
+        // Admin? Or SubAdmin?
+        $uid = $user->getUID();
+        $subAdminManager = $this->groupManager->getSubAdmin();
+        if($this->groupManager->isAdmin($uid)){
+            $users = $this->userManager->search($search, $limit, $offset);
+        } else if ($subAdminManager->isSubAdmin($user)) {
+            $subAdminOfGroups = $subAdminManager->getSubAdminsGroups($user);
+            foreach ($subAdminOfGroups as $key => $group) {
+                $subAdminOfGroups[$key] = $group->getGID();
+            }
+
+            if($offset === null) {
+                $offset = 0;
+            }
+
+            $users = [];
+            foreach ($subAdminOfGroups as $group) {
+                $users = array_merge($users, $this->groupManager->displayNamesInGroup($group, $search));
+            }
+
+            $users = array_slice($users, $offset, $limit);
+        }
+
+        $users = array_keys($users);
+
+        return new DataResponse([
+            'users' => $users
+        ]);
+    }
+
+    /**
+     * @PasswordConfirmationRequired
+     * @NoAdminRequired
+     *
+     * @param string $userid
+     * @param string $password
+     * @param array $groups
+     * @return DataResponse
+     * @throws OCSException
+     */
+    public function addUser(string $userid, string $password, array $groups = []): DataResponse {
+        $user = $this->userSession->getUser();
+        $isAdmin = $this->groupManager->isAdmin($user->getUID());
+        $subAdminManager = $this->groupManager->getSubAdmin();
+
+        if($this->userManager->userExists($userid)) {
+            $this->logger->error('Failed addUser attempt: User already exists.', ['app' => 'ocs_api']);
+            throw new OCSException('User already exists', 102);
+        }
+
+        if($groups !== []) {
+            foreach ($groups as $group) {
+                if(!$this->groupManager->groupExists($group)) {
+                    throw new OCSException('group '.$group.' does not exist', 104);
+                }
+                if(!$isAdmin && !$subAdminManager->isSubAdminofGroup($user, $this->groupManager->get($group))) {
+                    throw new OCSException('insufficient privileges for group '. $group, 105);
+                }
+            }
+        } else {
+            if(!$isAdmin) {
+                throw new OCSException('no group specified (required for subadmins)', 106);
+            }
+        }
+
+        try {
+            $newUser = $this->userManager->createUser($userid, $password);
+            $this->logger->info('Successful addUser call with userid: ' . $userid, ['app' => 'ocs_api']);
+
+            foreach ($groups as $group) {
+                $this->groupManager->get($group)->addUser($newUser);
+                $this->logger->info('Added userid ' . $userid . ' to group ' . $group, ['app' => 'ocs_api']);
+            }
+
+            return new DataResponse();
+        } catch (HintException $e ) {
+            $this->logger->logException($e, [
+                'message' => 'Failed addUser attempt with hint exception.',
+                'level' => \OCP\Util::WARN,
+                'app' => 'ocs_api',
+            ]);
+            throw new OCSException($e->getHint(), 107);
+        } catch (\Exception $e) {
+            $this->logger->logException($e, [
+                'message' => 'Failed addUser attempt with exception.',
+                'level' => \OCP\Util::ERROR,
+                'app' => 'ocs_api',
+            ]);
+            throw new OCSException('Bad request', 101);
+        }
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoSubAdminRequired
+     *
+     * gets user info
+     *
+     * @param string $userId
+     * @return DataResponse
+     * @throws OCSException
+     */
+    public function getUser(string $userId): DataResponse {
+        $data = $this->getUserData($userId);
+        return new DataResponse($data);
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoSubAdminRequired
+     *
+     * gets user info from the currently logged in user
+     *
+     * @return DataResponse
+     * @throws OCSException
+     */
+    public function getCurrentUser(): DataResponse {
+        $user = $this->userSession->getUser();
+        if ($user) {
+            $data =  $this->getUserData($user->getUID());
+            // rename "displayname" to "display-name" only for this call to keep
+            // the API stable.
+            $data['display-name'] = $data['displayname'];
+            unset($data['displayname']);
+            return new DataResponse($data);
+
+        }
+
+        throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
+    }
+
+    /**
+     * creates a array with all user data
+     *
+     * @param $userId
+     * @return array
+     * @throws OCSException
+     */
+    protected function getUserData(string $userId): array {
+        $currentLoggedInUser = $this->userSession->getUser();
+
+        $data = [];
+
+        // Check if the target user exists
+        $targetUserObject = $this->userManager->get($userId);
+        if($targetUserObject === null) {
+            throw new OCSException('The requested user could not be found', \OCP\API::RESPOND_NOT_FOUND);
+        }
+
+        // Admin? Or SubAdmin?
+        if($this->groupManager->isAdmin($currentLoggedInUser->getUID())
+            || $this->groupManager->getSubAdmin()->isUserAccessible($currentLoggedInUser, $targetUserObject)) {
+            $data['enabled'] = $this->config->getUserValue($targetUserObject->getUID(), 'core', 'enabled', 'true');
+        } else {
+            // Check they are looking up themselves
+            if($currentLoggedInUser->getUID() !== $targetUserObject->getUID()) {
+                throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
+            }
+        }
+
+        $userAccount = $this->accountManager->getUser($targetUserObject);
+        $groups = $this->groupManager->getUserGroups($targetUserObject);
+        $gids = [];
+        foreach ($groups as $group) {
+            $gids[] = $group->getDisplayName();
+        }
+
+        // Find the data
+        $data['id'] = $targetUserObject->getUID();
+        $data['quota'] = $this->fillStorageInfo($targetUserObject->getUID());
+        $data[AccountManager::PROPERTY_EMAIL] = $targetUserObject->getEMailAddress();
+        $data[AccountManager::PROPERTY_DISPLAYNAME] = $targetUserObject->getDisplayName();
+        $data[AccountManager::PROPERTY_PHONE] = $userAccount[AccountManager::PROPERTY_PHONE]['value'];
+        $data[AccountManager::PROPERTY_ADDRESS] = $userAccount[AccountManager::PROPERTY_ADDRESS]['value'];
+        $data[AccountManager::PROPERTY_WEBSITE] = $userAccount[AccountManager::PROPERTY_WEBSITE]['value'];
+        $data[AccountManager::PROPERTY_TWITTER] = $userAccount[AccountManager::PROPERTY_TWITTER]['value'];
+        $data['groups'] = $gids;
+        $data['language'] = $this->config->getUserValue($targetUserObject->getUID(), 'core', 'lang');
+
+        return $data;
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoSubAdminRequired
+     */
+    public function getEditableFields(): DataResponse {
+        $permittedFields = [];
+
+        // Editing self (display, email)
+        if ($this->config->getSystemValue('allow_user_to_change_display_name', true) !== false) {
+            $permittedFields[] = AccountManager::PROPERTY_DISPLAYNAME;
+            $permittedFields[] = AccountManager::PROPERTY_EMAIL;
+        }
+
+        if ($this->appManager->isEnabledForUser('federatedfilesharing')) {
+            $federatedFileSharing = $this->federatedFileSharingFactory->get();
+            $shareProvider = $federatedFileSharing->getFederatedShareProvider();
+            if ($shareProvider->isLookupServerUploadEnabled()) {
+                $permittedFields[] = AccountManager::PROPERTY_PHONE;
+                $permittedFields[] = AccountManager::PROPERTY_ADDRESS;
+                $permittedFields[] = AccountManager::PROPERTY_WEBSITE;
+                $permittedFields[] = AccountManager::PROPERTY_TWITTER;
+            }
+        }
+
+        return new DataResponse($permittedFields);
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoSubAdminRequired
+     * @PasswordConfirmationRequired
+     *
+     * edit users
+     *
+     * @param string $userId
+     * @param string $key
+     * @param string $value
+     * @return DataResponse
+     * @throws OCSException
+     */
+    public function editUser(string $userId, string $key, string $value): DataResponse {
+        $currentLoggedInUser = $this->userSession->getUser();
+
+        $targetUser = $this->userManager->get($userId);
+        if($targetUser === null) {
+            throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
+        }
+
+        $permittedFields = [];
+        if($targetUser->getUID() === $currentLoggedInUser->getUID()) {
+            // Editing self (display, email)
+            if ($this->config->getSystemValue('allow_user_to_change_display_name', true) !== false) {
+                $permittedFields[] = 'display';
+                $permittedFields[] = AccountManager::PROPERTY_DISPLAYNAME;
+                $permittedFields[] = AccountManager::PROPERTY_EMAIL;
+            }
+
+            $permittedFields[] = 'password';
+            if ($this->config->getSystemValue('force_language', false) === false ||
+                $this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
+                $permittedFields[] = 'language';
+            }
+
+            if ($this->appManager->isEnabledForUser('federatedfilesharing')) {
+                $federatedFileSharing = new \OCA\FederatedFileSharing\AppInfo\Application();
+                $shareProvider = $federatedFileSharing->getFederatedShareProvider();
+                if ($shareProvider->isLookupServerUploadEnabled()) {
+                    $permittedFields[] = AccountManager::PROPERTY_PHONE;
+                    $permittedFields[] = AccountManager::PROPERTY_ADDRESS;
+                    $permittedFields[] = AccountManager::PROPERTY_WEBSITE;
+                    $permittedFields[] = AccountManager::PROPERTY_TWITTER;
+                }
+            }
+
+            // If admin they can edit their own quota
+            if($this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
+                $permittedFields[] = 'quota';
+            }
+        } else {
+            // Check if admin / subadmin
+            $subAdminManager = $this->groupManager->getSubAdmin();
+            if($subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)
+            || $this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
+                // They have permissions over the user
+                $permittedFields[] = 'display';
+                $permittedFields[] = AccountManager::PROPERTY_DISPLAYNAME;
+                $permittedFields[] = AccountManager::PROPERTY_EMAIL;
+                $permittedFields[] = 'password';
+                $permittedFields[] = 'language';
+                $permittedFields[] = AccountManager::PROPERTY_PHONE;
+                $permittedFields[] = AccountManager::PROPERTY_ADDRESS;
+                $permittedFields[] = AccountManager::PROPERTY_WEBSITE;
+                $permittedFields[] = AccountManager::PROPERTY_TWITTER;
+                $permittedFields[] = 'quota';
+            } else {
+                // No rights
+                throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
+            }
+        }
+        // Check if permitted to edit this field
+        if(!in_array($key, $permittedFields)) {
+            throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
+        }
+        // Process the edit
+        switch($key) {
+            case 'display':
+            case AccountManager::PROPERTY_DISPLAYNAME:
+                $targetUser->setDisplayName($value);
+                break;
+            case 'quota':
+                $quota = $value;
+                if($quota !== 'none' && $quota !== 'default') {
+                    if (is_numeric($quota)) {
+                        $quota = (float) $quota;
+                    } else {
+                        $quota = \OCP\Util::computerFileSize($quota);
+                    }
+                    if ($quota === false) {
+                        throw new OCSException('Invalid quota value '.$value, 103);
+                    }
+                    if($quota === 0) {
+                        $quota = 'default';
+                    }else if($quota === -1) {
+                        $quota = 'none';
+                    } else {
+                        $quota = \OCP\Util::humanFileSize($quota);
+                    }
+                }
+                $targetUser->setQuota($quota);
+                break;
+            case 'password':
+                $targetUser->setPassword($value);
+                break;
+            case 'language':
+                $languagesCodes = $this->l10nFactory->findAvailableLanguages();
+                if (!in_array($value, $languagesCodes, true) && $value !== 'en') {
+                    throw new OCSException('Invalid language', 102);
+                }
+                $this->config->setUserValue($targetUser->getUID(), 'core', 'lang', $value);
+                break;
+            case AccountManager::PROPERTY_EMAIL:
+                if(filter_var($value, FILTER_VALIDATE_EMAIL)) {
+                    $targetUser->setEMailAddress($value);
+                } else {
+                    throw new OCSException('', 102);
+                }
+                break;
+            case AccountManager::PROPERTY_PHONE:
+            case AccountManager::PROPERTY_ADDRESS:
+            case AccountManager::PROPERTY_WEBSITE:
+            case AccountManager::PROPERTY_TWITTER:
+                $userAccount = $this->accountManager->getUser($targetUser);
+                if ($userAccount[$key]['value'] !== $value) {
+                    $userAccount[$key]['value'] = $value;
+                    $this->accountManager->updateUser($targetUser, $userAccount);
+                }
+                break;
+            default:
+                throw new OCSException('', 103);
+        }
+        return new DataResponse();
+    }
+
+    /**
+     * @PasswordConfirmationRequired
+     * @NoAdminRequired
+     *
+     * @param string $userId
+     * @return DataResponse
+     * @throws OCSException
+     */
+    public function deleteUser(string $userId): DataResponse {
+        $currentLoggedInUser = $this->userSession->getUser();
+
+        $targetUser = $this->userManager->get($userId);
+
+        if($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) {
+            throw new OCSException('', 101);
+        }
+
+        // If not permitted
+        $subAdminManager = $this->groupManager->getSubAdmin();
+        if(!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
+            throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
+        }
+
+        // Go ahead with the delete
+        if($targetUser->delete()) {
+            return new DataResponse();
+        } else {
+            throw new OCSException('', 101);
+        }
+    }
+
+    /**
+     * @PasswordConfirmationRequired
+     * @NoAdminRequired
+     *
+     * @param string $userId
+     * @return DataResponse
+     * @throws OCSException
+     * @throws OCSForbiddenException
+     */
+    public function disableUser(string $userId): DataResponse {
+        return $this->setEnabled($userId, false);
+    }
+
+    /**
+     * @PasswordConfirmationRequired
+     * @NoAdminRequired
+     *
+     * @param string $userId
+     * @return DataResponse
+     * @throws OCSException
+     * @throws OCSForbiddenException
+     */
+    public function enableUser(string $userId): DataResponse {
+        return $this->setEnabled($userId, true);
+    }
+
+    /**
+     * @param string $userId
+     * @param bool $value
+     * @return DataResponse
+     * @throws OCSException
+     */
+    private function setEnabled(string $userId, bool $value): DataResponse {
+        $currentLoggedInUser = $this->userSession->getUser();
+
+        $targetUser = $this->userManager->get($userId);
+        if($targetUser === null || $targetUser->getUID() === $currentLoggedInUser->getUID()) {
+            throw new OCSException('', 101);
+        }
+
+        // If not permitted
+        $subAdminManager = $this->groupManager->getSubAdmin();
+        if(!$this->groupManager->isAdmin($currentLoggedInUser->getUID()) && !$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)) {
+            throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
+        }
+
+        // enable/disable the user now
+        $targetUser->setEnabled($value);
+        return new DataResponse();
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoSubAdminRequired
+     *
+     * @param string $userId
+     * @return DataResponse
+     * @throws OCSException
+     */
+    public function getUsersGroups(string $userId): DataResponse {
+        $loggedInUser = $this->userSession->getUser();
+
+        $targetUser = $this->userManager->get($userId);
+        if($targetUser === null) {
+            throw new OCSException('', \OCP\API::RESPOND_NOT_FOUND);
+        }
+
+        if($targetUser->getUID() === $loggedInUser->getUID() || $this->groupManager->isAdmin($loggedInUser->getUID())) {
+            // Self lookup or admin lookup
+            return new DataResponse([
+                'groups' => $this->groupManager->getUserGroupIds($targetUser)
+            ]);
+        } else {
+            $subAdminManager = $this->groupManager->getSubAdmin();
+
+            // Looking up someone else
+            if($subAdminManager->isUserAccessible($loggedInUser, $targetUser)) {
+                // Return the group that the method caller is subadmin of for the user in question
+                /** @var IGroup[] $getSubAdminsGroups */
+                $getSubAdminsGroups = $subAdminManager->getSubAdminsGroups($loggedInUser);
+                foreach ($getSubAdminsGroups as $key => $group) {
+                    $getSubAdminsGroups[$key] = $group->getGID();
+                }
+                $groups = array_intersect(
+                    $getSubAdminsGroups,
+                    $this->groupManager->getUserGroupIds($targetUser)
+                );
+                return new DataResponse(['groups' => $groups]);
+            } else {
+                // Not permitted
+                throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
+            }
+        }
+
+    }
+
+    /**
+     * @PasswordConfirmationRequired
+     * @NoAdminRequired
+     *
+     * @param string $userId
+     * @param string $groupid
+     * @return DataResponse
+     * @throws OCSException
+     */
+    public function addToGroup(string $userId, string $groupid = ''): DataResponse {
+        if($groupid === '') {
+            throw new OCSException('', 101);
+        }
+
+        $group = $this->groupManager->get($groupid);
+        $targetUser = $this->userManager->get($userId);
+        if($group === null) {
+            throw new OCSException('', 102);
+        }
+        if($targetUser === null) {
+            throw new OCSException('', 103);
+        }
+
+        // If they're not an admin, check they are a subadmin of the group in question
+        $loggedInUser = $this->userSession->getUser();
+        $subAdminManager = $this->groupManager->getSubAdmin();
+        if (!$this->groupManager->isAdmin($loggedInUser->getUID()) && !$subAdminManager->isSubAdminOfGroup($loggedInUser, $group)) {
+            throw new OCSException('', 104);
+        }
+
+        // Add user to group
+        $group->addUser($targetUser);
+        return new DataResponse();
+    }
+
+    /**
+     * @PasswordConfirmationRequired
+     * @NoAdminRequired
+     *
+     * @param string $userId
+     * @param string $groupid
+     * @return DataResponse
+     * @throws OCSException
+     */
+    public function removeFromGroup(string $userId, string $groupid): DataResponse {
+        $loggedInUser = $this->userSession->getUser();
+
+        if($groupid === null || trim($groupid) === '') {
+            throw new OCSException('', 101);
+        }
+
+        $group = $this->groupManager->get($groupid);
+        if($group === null) {
+            throw new OCSException('', 102);
+        }
+
+        $targetUser = $this->userManager->get($userId);
+        if($targetUser === null) {
+            throw new OCSException('', 103);
+        }
+
+        // If they're not an admin, check they are a subadmin of the group in question
+        $subAdminManager = $this->groupManager->getSubAdmin();
+        if (!$this->groupManager->isAdmin($loggedInUser->getUID()) && !$subAdminManager->isSubAdminOfGroup($loggedInUser, $group)) {
+            throw new OCSException('', 104);
+        }
+
+        // Check they aren't removing themselves from 'admin' or their 'subadmin; group
+        if ($targetUser->getUID() === $loggedInUser->getUID()) {
+            if ($this->groupManager->isAdmin($loggedInUser->getUID())) {
+                if ($group->getGID() === 'admin') {
+                    throw new OCSException('Cannot remove yourself from the admin group', 105);
+                }
+            } else {
+                // Not an admin, so the user must be a subadmin of this group, but that is not allowed.
+                throw new OCSException('Cannot remove yourself from this group as you are a SubAdmin', 105);
+            }
+
+        } else if (!$this->groupManager->isAdmin($loggedInUser->getUID())) {
+            /** @var IGroup[] $subAdminGroups */
+            $subAdminGroups = $subAdminManager->getSubAdminsGroups($loggedInUser);
+            $subAdminGroups = array_map(function (IGroup $subAdminGroup) {
+                return $subAdminGroup->getGID();
+            }, $subAdminGroups);
+            $userGroups = $this->groupManager->getUserGroupIds($targetUser);
+            $userSubAdminGroups = array_intersect($subAdminGroups, $userGroups);
+
+            if (count($userSubAdminGroups) <= 1) {
+                // Subadmin must not be able to remove a user from all their subadmin groups.
+                throw new OCSException('Cannot remove user from this group as this is the only remaining group you are a SubAdmin of', 105);
+            }
+        }
+
+        // Remove user from group
+        $group->removeUser($targetUser);
+        return new DataResponse();
+    }
+
+    /**
+     * Creates a subadmin
+     *
+     * @PasswordConfirmationRequired
+     *
+     * @param string $userId
+     * @param string $groupid
+     * @return DataResponse
+     * @throws OCSException
+     */
+    public function addSubAdmin(string $userId, string $groupid): DataResponse {
+        $group = $this->groupManager->get($groupid);
+        $user = $this->userManager->get($userId);
+
+        // Check if the user exists
+        if($user === null) {
+            throw new OCSException('User does not exist', 101);
+        }
+        // Check if group exists
+        if($group === null) {
+            throw new OCSException('Group does not exist',  102);
+        }
+        // Check if trying to make subadmin of admin group
+        if($group->getGID() === 'admin') {
+            throw new OCSException('Cannot create subadmins for admin group', 103);
+        }
+
+        $subAdminManager = $this->groupManager->getSubAdmin();
+
+        // We cannot be subadmin twice
+        if ($subAdminManager->isSubAdminofGroup($user, $group)) {
+            return new DataResponse();
+        }
+        // Go
+        if($subAdminManager->createSubAdmin($user, $group)) {
+            return new DataResponse();
+        } else {
+            throw new OCSException('Unknown error occurred', 103);
+        }
+    }
+
+    /**
+     * Removes a subadmin from a group
+     *
+     * @PasswordConfirmationRequired
+     *
+     * @param string $userId
+     * @param string $groupid
+     * @return DataResponse
+     * @throws OCSException
+     */
+    public function removeSubAdmin(string $userId, string $groupid): DataResponse {
+        $group = $this->groupManager->get($groupid);
+        $user = $this->userManager->get($userId);
+        $subAdminManager = $this->groupManager->getSubAdmin();
+
+        // Check if the user exists
+        if($user === null) {
+            throw new OCSException('User does not exist', 101);
+        }
+        // Check if the group exists
+        if($group === null) {
+            throw new OCSException('Group does not exist', 101);
+        }
+        // Check if they are a subadmin of this said group
+        if(!$subAdminManager->isSubAdminOfGroup($user, $group)) {
+            throw new OCSException('User is not a subadmin of this group', 102);
+        }
+
+        // Go
+        if($subAdminManager->deleteSubAdmin($user, $group)) {
+            return new DataResponse();
+        } else {
+            throw new OCSException('Unknown error occurred', 103);
+        }
+    }
+
+    /**
+     * Get the groups a user is a subadmin of
+     *
+     * @param string $userId
+     * @return DataResponse
+     * @throws OCSException
+     */
+    public function getUserSubAdminGroups(string $userId): DataResponse {
+        $user = $this->userManager->get($userId);
+        // Check if the user exists
+        if($user === null) {
+            throw new OCSException('User does not exist', 101);
+        }
+
+        // Get the subadmin groups
+        $subAdminGroups = $this->groupManager->getSubAdmin()->getSubAdminsGroups($user);
+        $groups = [];
+        foreach ($subAdminGroups as $key => $group) {
+            $groups[] = $group->getGID();
+        }
+
+        if(!$groups) {
+            throw new OCSException('Unknown error occurred', 102);
+        } else {
+            return new DataResponse($groups);
+        }
+    }
+
+    /**
+     * @param string $userId
+     * @return array
+     * @throws \OCP\Files\NotFoundException
+     */
+    protected function fillStorageInfo(string $userId): array {
+        try {
+            \OC_Util::tearDownFS();
+            \OC_Util::setupFS($userId);
+            $storage = OC_Helper::getStorageInfo('/');
+            $data = [
+                'free' => $storage['free'],
+                'used' => $storage['used'],
+                'total' => $storage['total'],
+                'relative' => $storage['relative'],
+                'quota' => $storage['quota'],
+            ];
+        } catch (NotFoundException $ex) {
+            $data = [];
+        }
+        return $data;
+    }
+
+    /**
+     * @NoAdminRequired
+     * @PasswordConfirmationRequired
+     *
+     * resend welcome message
+     *
+     * @param string $userId
+     * @return DataResponse
+     * @throws OCSException
+     */
+    public function resendWelcomeMessage(string $userId): DataResponse {
+        $currentLoggedInUser = $this->userSession->getUser();
+
+        $targetUser = $this->userManager->get($userId);
+        if($targetUser === null) {
+            throw new OCSException('', \OCP\API::RESPOND_NOT_FOUND);
+        }
+
+        // Check if admin / subadmin
+        $subAdminManager = $this->groupManager->getSubAdmin();
+        if(!$subAdminManager->isUserAccessible($currentLoggedInUser, $targetUser)
+            && !$this->groupManager->isAdmin($currentLoggedInUser->getUID())) {
+            // No rights
+            throw new OCSException('', \OCP\API::RESPOND_UNAUTHORISED);
+        }
+
+        $email = $targetUser->getEMailAddress();
+        if ($email === '' || $email === null) {
+            throw new OCSException('Email address not available', 101);
+        }
+        $username = $targetUser->getUID();
+        $lang = $this->config->getUserValue($username, 'core', 'lang', 'en');
+        if (!$this->l10nFactory->languageExists('settings', $lang)) {
+            $lang = 'en';
+        }
+
+        $l10n = $this->l10nFactory->get('settings', $lang);
+
+        try {
+            $this->newUserMailHelper->setL10N($l10n);
+            $emailTemplate = $this->newUserMailHelper->generateTemplate($targetUser, false);
+            $this->newUserMailHelper->sendMail($targetUser, $emailTemplate);
+        } catch(\Exception $e) {
+            $this->logger->logException($e, [
+                'message' => "Can't send new user mail to $email",
+                'level' => \OCP\Util::ERROR,
+                'app' => 'settings',
+            ]);
+            throw new OCSException('Sending email failed', 102);
+        }
+
+        return new DataResponse();
+    }
 }

settings/Controller/UsersController.php

Indentation +943 added lines, -943 removed lines

@@ -71,948 +71,948 @@
  * @package OC\Settings\Controller
  */
 class UsersController extends Controller {
-	/** @var IL10N */
-	private $l10n;
-	/** @var IUserSession */
-	private $userSession;
-	/** @var bool */
-	private $isAdmin;
-	/** @var IUserManager */
-	private $userManager;
-	/** @var IGroupManager */
-	private $groupManager;
-	/** @var IConfig */
-	private $config;
-	/** @var ILogger */
-	private $log;
-	/** @var IMailer */
-	private $mailer;
-	/** @var bool contains the state of the encryption app */
-	private $isEncryptionAppEnabled;
-	/** @var bool contains the state of the admin recovery setting */
-	private $isRestoreEnabled = false;
-	/** @var IAppManager */
-	private $appManager;
-	/** @var IAvatarManager */
-	private $avatarManager;
-	/** @var AccountManager */
-	private $accountManager;
-	/** @var ISecureRandom */
-	private $secureRandom;
-	/** @var NewUserMailHelper */
-	private $newUserMailHelper;
-	/** @var Manager */
-	private $keyManager;
-	/** @var IJobList */
-	private $jobList;
-
-	/** @var IUserMountCache */
-	private $userMountCache;
-
-	/** @var IManager */
-	private $encryptionManager;
-
-	public function __construct(string $appName,
-								IRequest $request,
-								IUserManager $userManager,
-								IGroupManager $groupManager,
-								IUserSession $userSession,
-								IConfig $config,
-								bool $isAdmin,
-								IL10N $l10n,
-								ILogger $log,
-								IMailer $mailer,
-								IURLGenerator $urlGenerator,
-								IAppManager $appManager,
-								IAvatarManager $avatarManager,
-								AccountManager $accountManager,
-								ISecureRandom $secureRandom,
-								NewUserMailHelper $newUserMailHelper,
-								Manager $keyManager,
-								IJobList $jobList,
-								IUserMountCache $userMountCache,
-								IManager $encryptionManager) {
-		parent::__construct($appName, $request);
-		$this->userManager = $userManager;
-		$this->groupManager = $groupManager;
-		$this->userSession = $userSession;
-		$this->config = $config;
-		$this->isAdmin = $isAdmin;
-		$this->l10n = $l10n;
-		$this->log = $log;
-		$this->mailer = $mailer;
-		$this->appManager = $appManager;
-		$this->avatarManager = $avatarManager;
-		$this->accountManager = $accountManager;
-		$this->secureRandom = $secureRandom;
-		$this->newUserMailHelper = $newUserMailHelper;
-		$this->keyManager = $keyManager;
-		$this->jobList = $jobList;
-		$this->userMountCache = $userMountCache;
-		$this->encryptionManager = $encryptionManager;
-
-		// check for encryption state - TODO see formatUserForIndex
-		$this->isEncryptionAppEnabled = $appManager->isEnabledForUser('encryption');
-		if ($this->isEncryptionAppEnabled) {
-			// putting this directly in empty is possible in PHP 5.5+
-			$result = $config->getAppValue('encryption', 'recoveryAdminEnabled', '0');
-			$this->isRestoreEnabled = !empty($result);
-		}
-	}
-
-	/**
-	 * @param IUser $user
-	 * @param array|null $userGroups
-	 * @return array
-	 */
-	private function formatUserForIndex(IUser $user, array $userGroups = null): array {
-
-		// TODO: eliminate this encryption specific code below and somehow
-		// hook in additional user info from other apps
-
-		// recovery isn't possible if admin or user has it disabled and encryption
-		// is enabled - so we eliminate the else paths in the conditional tree
-		// below
-		$restorePossible = false;
-
-		if ($this->isEncryptionAppEnabled) {
-			if ($this->isRestoreEnabled) {
-				// check for the users recovery setting
-				$recoveryMode = $this->config->getUserValue($user->getUID(), 'encryption', 'recoveryEnabled', '0');
-				// method call inside empty is possible with PHP 5.5+
-				$recoveryModeEnabled = !empty($recoveryMode);
-				if ($recoveryModeEnabled) {
-					// user also has recovery mode enabled
-					$restorePossible = true;
-				}
-			} else {
-				$modules = $this->encryptionManager->getEncryptionModules();
-				$restorePossible = true;
-				foreach ($modules as $id => $module) {
-					/* @var IEncryptionModule $instance */
-					$instance = call_user_func($module['callback']);
-					if ($instance->needDetailedAccessList()) {
-						$restorePossible = false;
-						break;
-					}
-				}
-			}
-		} else {
-			// recovery is possible if encryption is disabled (plain files are
-			// available)
-			$restorePossible = true;
-		}
-
-		$subAdminGroups = $this->groupManager->getSubAdmin()->getSubAdminsGroupsName($user);
-
-		$displayName = $user->getEMailAddress();
-		if (is_null($displayName)) {
-			$displayName = '';
-		}
-
-		$avatarAvailable = false;
-		try {
-			$avatarAvailable = $this->avatarManager->getAvatar($user->getUID())->exists();
-		} catch (\Exception $e) {
-			//No avatar yet
-		}
-
-		return [
-			'name' => $user->getUID(),
-			'displayname' => $user->getDisplayName(),
-			'groups' => empty($userGroups) ? $this->groupManager->getUserGroupNames($user) : $userGroups,
-			'subadmin' => $subAdminGroups,
-			'quota' => $user->getQuota(),
-			'quota_bytes' => Util::computerFileSize($user->getQuota()),
-			'storageLocation' => $user->getHome(),
-			'lastLogin' => $user->getLastLogin() * 1000,
-			'backend' => $user->getBackendClassName(),
-			'email' => $displayName,
-			'isRestoreDisabled' => !$restorePossible,
-			'isAvatarAvailable' => $avatarAvailable,
-			'isEnabled' => $user->isEnabled(),
-		];
-	}
-
-	/**
-	 * @param array $userIDs Array with schema [$uid => $displayName]
-	 * @return IUser[]
-	 */
-	private function getUsersForUID(array $userIDs): array {
-		$users = [];
-		foreach ($userIDs as $uid => $displayName) {
-			$users[$uid] = $this->userManager->get($uid);
-		}
-		return $users;
-	}
-
-	/**
-	 * @NoAdminRequired
-	 *
-	 * @param int $offset
-	 * @param int $limit
-	 * @param string $gid GID to filter for
-	 * @param string $pattern Pattern to search for in the username
-	 * @param string $backend Backend to filter for (class-name)
-	 * @return DataResponse
-	 *
-	 * TODO: Tidy up and write unit tests - code is mainly static method calls
-	 */
-	public function index(int $offset = 0, int $limit = 10, string $gid = '', string $pattern = '', string $backend = ''): DataResponse {
-		// Remove backends
-		if (!empty($backend)) {
-			$activeBackends = $this->userManager->getBackends();
-			$this->userManager->clearBackends();
-			foreach ($activeBackends as $singleActiveBackend) {
-				if ($backend === get_class($singleActiveBackend)) {
-					$this->userManager->registerBackend($singleActiveBackend);
-					break;
-				}
-			}
-		}
-
-		$userObjects = [];
-		$users = [];
-		if ($this->isAdmin) {
-			if ($gid !== '' && $gid !== '_disabledUsers' && $gid !== '_everyone') {
-				$batch = $this->getUsersForUID($this->groupManager->displayNamesInGroup($gid, $pattern, $limit, $offset));
-			} else {
-				$batch = $this->userManager->search($pattern, $limit, $offset);
-			}
-
-			foreach ($batch as $user) {
-				if (($gid !== '_disabledUsers' && $user->isEnabled()) ||
-					($gid === '_disabledUsers' && !$user->isEnabled())
-				) {
-					$userObjects[] = $user;
-					$users[] = $this->formatUserForIndex($user);
-				}
-			}
-
-		} else {
-			$subAdminOfGroups = $this->groupManager->getSubAdmin()->getSubAdminsGroups($this->userSession->getUser());
-			// New class returns IGroup[] so convert back
-			$gids = [];
-			foreach ($subAdminOfGroups as $group) {
-				$gids[] = $group->getGID();
-			}
-			$subAdminOfGroups = $gids;
-
-			// Set the $gid parameter to an empty value if the subadmin has no rights to access a specific group
-			if ($gid !== '' && $gid !== '_disabledUsers' && !in_array($gid, $subAdminOfGroups)) {
-				$gid = '';
-			}
-
-			// Batch all groups the user is subadmin of when a group is specified
-			$batch = [];
-			if ($gid !== '' && $gid !== '_disabledUsers' && $gid !== '_everyone') {
-				$batch = $this->groupManager->displayNamesInGroup($gid, $pattern, $limit, $offset);
-			} else {
-				foreach ($subAdminOfGroups as $group) {
-					$groupUsers = $this->groupManager->displayNamesInGroup($group, $pattern, $limit, $offset);
-
-					foreach ($groupUsers as $uid => $displayName) {
-						$batch[$uid] = $displayName;
-					}
-				}
-			}
-			$batch = $this->getUsersForUID($batch);
-
-			foreach ($batch as $user) {
-				// Only add the groups, this user is a subadmin of
-				$userGroups = array_values(array_intersect(
-					$this->groupManager->getUserGroupIds($user),
-					$subAdminOfGroups
-				));
-				if (($gid !== '_disabledUsers' && $user->isEnabled()) ||
-					($gid === '_disabledUsers' && !$user->isEnabled())
-				) {
-					$userObjects[] = $user;
-					$users[] = $this->formatUserForIndex($user, $userGroups);
-				}
-			}
-		}
-
-		$usedSpace = $this->userMountCache->getUsedSpaceForUsers($userObjects);
-
-		foreach ($users as &$userData) {
-			$userData['size'] = isset($usedSpace[$userData['name']]) ? $usedSpace[$userData['name']] : 0;
-		}
-
-		return new DataResponse($users);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @PasswordConfirmationRequired
-	 *
-	 * @param string $username
-	 * @param string $password
-	 * @param array $groups
-	 * @param string $email
-	 * @return DataResponse
-	 */
-	public function create(string $username, string $password, array $groups = [], $email = ''): DataResponse {
-		if ($email !== '' && !$this->mailer->validateMailAddress($email)) {
-			return new DataResponse(
-				[
-					'message' => $this->l10n->t('Invalid mail address')
-				],
-				Http::STATUS_UNPROCESSABLE_ENTITY
-			);
-		}
-
-		$currentUser = $this->userSession->getUser();
-
-		if (!$this->isAdmin) {
-			if (!empty($groups)) {
-				foreach ($groups as $key => $group) {
-					$groupObject = $this->groupManager->get($group);
-					if ($groupObject === null) {
-						unset($groups[$key]);
-						continue;
-					}
-
-					if (!$this->groupManager->getSubAdmin()->isSubAdminOfGroup($currentUser, $groupObject)) {
-						unset($groups[$key]);
-					}
-				}
-			}
-
-			if (empty($groups)) {
-				return new DataResponse(
-					[
-						'message' => $this->l10n->t('No valid group selected'),
-					],
-					Http::STATUS_FORBIDDEN
-				);
-			}
-		}
-
-		if ($this->userManager->userExists($username)) {
-			return new DataResponse(
-				[
-					'message' => $this->l10n->t('A user with that name already exists.')
-				],
-				Http::STATUS_CONFLICT
-			);
-		}
-
-		$generatePasswordResetToken = false;
-		if ($password === '') {
-			if ($email === '') {
-				return new DataResponse(
-					[
-						'message' => $this->l10n->t('To send a password link to the user an email address is required.')
-					],
-					Http::STATUS_UNPROCESSABLE_ENTITY
-				);
-			}
-
-			$password = $this->secureRandom->generate(30);
-			// Make sure we pass the password_policy
-			$password .= $this->secureRandom->generate(2, '$!.,;:-~+*[]{}()');
-			$generatePasswordResetToken = true;
-		}
-
-		try {
-			$user = $this->userManager->createUser($username, $password);
-		} catch (\Exception $exception) {
-			$message = $exception->getMessage();
-			if ($exception instanceof HintException && $exception->getHint()) {
-				$message = $exception->getHint();
-			}
-			if (!$message) {
-				$message = $this->l10n->t('Unable to create user.');
-			}
-			return new DataResponse(
-				[
-					'message' => (string)$message,
-				],
-				Http::STATUS_FORBIDDEN
-			);
-		}
-
-		if ($user instanceof IUser) {
-			if ($groups !== null) {
-				foreach ($groups as $groupName) {
-					$group = $this->groupManager->get($groupName);
-
-					if (empty($group)) {
-						$group = $this->groupManager->createGroup($groupName);
-					}
-					$group->addUser($user);
-				}
-			}
-			/**
-			 * Send new user mail only if a mail is set
-			 */
-			if ($email !== '') {
-				$user->setEMailAddress($email);
-				try {
-					$emailTemplate = $this->newUserMailHelper->generateTemplate($user, $generatePasswordResetToken);
-					$this->newUserMailHelper->sendMail($user, $emailTemplate);
-				} catch (\Exception $e) {
-					$this->log->logException($e, [
-						'message' => "Can't send new user mail to $email",
-						'level' => \OCP\Util::ERROR,
-						'app' => 'settings',
-					]);
-				}
-			}
-			// fetch users groups
-			$userGroups = $this->groupManager->getUserGroupNames($user);
-
-			return new DataResponse(
-				$this->formatUserForIndex($user, $userGroups),
-				Http::STATUS_CREATED
-			);
-		}
-
-		return new DataResponse(
-			[
-				'message' => $this->l10n->t('Unable to create user.')
-			],
-			Http::STATUS_FORBIDDEN
-		);
-
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @PasswordConfirmationRequired
-	 *
-	 * @param string $id
-	 * @return DataResponse
-	 */
-	public function destroy(string $id): DataResponse {
-		$userId = $this->userSession->getUser()->getUID();
-		$user = $this->userManager->get($id);
-
-		if ($userId === $id) {
-			return new DataResponse(
-				[
-					'status' => 'error',
-					'data' => [
-						'message' => $this->l10n->t('Unable to delete user.')
-					]
-				],
-				Http::STATUS_FORBIDDEN
-			);
-		}
-
-		if (!$this->isAdmin && !$this->groupManager->getSubAdmin()->isUserAccessible($this->userSession->getUser(), $user)) {
-			return new DataResponse(
-				[
-					'status' => 'error',
-					'data' => [
-						'message' => $this->l10n->t('Authentication error')
-					]
-				],
-				Http::STATUS_FORBIDDEN
-			);
-		}
-
-		if ($user && $user->delete()) {
-			return new DataResponse(
-				[
-					'status' => 'success',
-					'data' => [
-						'username' => $id
-					]
-				],
-				Http::STATUS_NO_CONTENT
-			);
-		}
-
-		return new DataResponse(
-			[
-				'status' => 'error',
-				'data' => [
-					'message' => $this->l10n->t('Unable to delete user.')
-				]
-			],
-			Http::STATUS_FORBIDDEN
-		);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 *
-	 * @param string $id
-	 * @param int $enabled
-	 * @return DataResponse
-	 */
-	public function setEnabled(string $id, int $enabled): DataResponse {
-		$enabled = (bool)$enabled;
-		if ($enabled) {
-			$errorMsgGeneral = $this->l10n->t('Error while enabling user.');
-		} else {
-			$errorMsgGeneral = $this->l10n->t('Error while disabling user.');
-		}
-
-		$userId = $this->userSession->getUser()->getUID();
-		$user = $this->userManager->get($id);
-
-		if ($userId === $id) {
-			return new DataResponse(
-				[
-					'status' => 'error',
-					'data' => [
-						'message' => $errorMsgGeneral
-					]
-				], Http::STATUS_FORBIDDEN
-			);
-		}
-
-		if ($user) {
-			if (!$this->isAdmin && !$this->groupManager->getSubAdmin()->isUserAccessible($this->userSession->getUser(), $user)) {
-				return new DataResponse(
-					[
-						'status' => 'error',
-						'data' => [
-							'message' => $this->l10n->t('Authentication error')
-						]
-					],
-					Http::STATUS_FORBIDDEN
-				);
-			}
-
-			$user->setEnabled($enabled);
-			return new DataResponse(
-				[
-					'status' => 'success',
-					'data' => [
-						'username' => $id,
-						'enabled' => $enabled
-					]
-				]
-			);
-		} else {
-			return new DataResponse(
-				[
-					'status' => 'error',
-					'data' => [
-						'message' => $errorMsgGeneral
-					]
-				],
-				Http::STATUS_FORBIDDEN
-			);
-		}
-
-	}
-
-	/**
-	 * Set the mail address of a user
-	 *
-	 * @NoAdminRequired
-	 * @NoSubadminRequired
-	 * @PasswordConfirmationRequired
-	 *
-	 * @param string $account
-	 * @param bool $onlyVerificationCode only return verification code without updating the data
-	 * @return DataResponse
-	 */
-	public function getVerificationCode(string $account, bool $onlyVerificationCode): DataResponse {
-
-		$user = $this->userSession->getUser();
-
-		if ($user === null) {
-			return new DataResponse([], Http::STATUS_BAD_REQUEST);
-		}
-
-		$accountData = $this->accountManager->getUser($user);
-		$cloudId = $user->getCloudId();
-		$message = 'Use my Federated Cloud ID to share with me: ' . $cloudId;
-		$signature = $this->signMessage($user, $message);
-
-		$code = $message . ' ' . $signature;
-		$codeMd5 = $message . ' ' . md5($signature);
-
-		switch ($account) {
-			case 'verify-twitter':
-				$accountData[AccountManager::PROPERTY_TWITTER]['verified'] = AccountManager::VERIFICATION_IN_PROGRESS;
-				$msg = $this->l10n->t('In order to verify your Twitter account, post the following tweet on Twitter (please make sure to post it without any line breaks):');
-				$code = $codeMd5;
-				$type = AccountManager::PROPERTY_TWITTER;
-				$data = $accountData[AccountManager::PROPERTY_TWITTER]['value'];
-				$accountData[AccountManager::PROPERTY_TWITTER]['signature'] = $signature;
-				break;
-			case 'verify-website':
-				$accountData[AccountManager::PROPERTY_WEBSITE]['verified'] = AccountManager::VERIFICATION_IN_PROGRESS;
-				$msg = $this->l10n->t('In order to verify your Website, store the following content in your web-root at \'.well-known/CloudIdVerificationCode.txt\' (please make sure that the complete text is in one line):');
-				$type = AccountManager::PROPERTY_WEBSITE;
-				$data = $accountData[AccountManager::PROPERTY_WEBSITE]['value'];
-				$accountData[AccountManager::PROPERTY_WEBSITE]['signature'] = $signature;
-				break;
-			default:
-				return new DataResponse([], Http::STATUS_BAD_REQUEST);
-		}
-
-		if ($onlyVerificationCode === false) {
-			$this->accountManager->updateUser($user, $accountData);
-
-			$this->jobList->add(VerifyUserData::class,
-				[
-					'verificationCode' => $code,
-					'data' => $data,
-					'type' => $type,
-					'uid' => $user->getUID(),
-					'try' => 0,
-					'lastRun' => $this->getCurrentTime()
-				]
-			);
-		}
-
-		return new DataResponse(['msg' => $msg, 'code' => $code]);
-	}
-
-	/**
-	 * get current timestamp
-	 *
-	 * @return int
-	 */
-	protected function getCurrentTime(): int {
-		return time();
-	}
-
-	/**
-	 * sign message with users private key
-	 *
-	 * @param IUser $user
-	 * @param string $message
-	 *
-	 * @return string base64 encoded signature
-	 */
-	protected function signMessage(IUser $user, string $message): string {
-		$privateKey = $this->keyManager->getKey($user)->getPrivate();
-		openssl_sign(json_encode($message), $signature, $privateKey, OPENSSL_ALGO_SHA512);
-		return base64_encode($signature);
-	}
-
-	/**
-	 * @NoAdminRequired
-	 * @NoSubadminRequired
-	 * @PasswordConfirmationRequired
-	 *
-	 * @param string $avatarScope
-	 * @param string $displayname
-	 * @param string $displaynameScope
-	 * @param string $phone
-	 * @param string $phoneScope
-	 * @param string $email
-	 * @param string $emailScope
-	 * @param string $website
-	 * @param string $websiteScope
-	 * @param string $address
-	 * @param string $addressScope
-	 * @param string $twitter
-	 * @param string $twitterScope
-	 * @return DataResponse
-	 */
-	public function setUserSettings($avatarScope,
-									$displayname,
-									$displaynameScope,
-									$phone,
-									$phoneScope,
-									$email,
-									$emailScope,
-									$website,
-									$websiteScope,
-									$address,
-									$addressScope,
-									$twitter,
-									$twitterScope
-	) {
-
-		if (!empty($email) && !$this->mailer->validateMailAddress($email)) {
-			return new DataResponse(
-				[
-					'status' => 'error',
-					'data' => [
-						'message' => $this->l10n->t('Invalid mail address')
-					]
-				],
-				Http::STATUS_UNPROCESSABLE_ENTITY
-			);
-		}
-
-		$user = $this->userSession->getUser();
-
-		$data = $this->accountManager->getUser($user);
-
-		$data[AccountManager::PROPERTY_AVATAR] = ['scope' => $avatarScope];
-		if ($this->config->getSystemValue('allow_user_to_change_display_name', true) !== false) {
-			$data[AccountManager::PROPERTY_DISPLAYNAME] = ['value' => $displayname, 'scope' => $displaynameScope];
-			$data[AccountManager::PROPERTY_EMAIL] = ['value' => $email, 'scope' => $emailScope];
-		}
-
-		if ($this->appManager->isEnabledForUser('federatedfilesharing')) {
-			$federatedFileSharing = new \OCA\FederatedFileSharing\AppInfo\Application();
-			$shareProvider = $federatedFileSharing->getFederatedShareProvider();
-			if ($shareProvider->isLookupServerUploadEnabled()) {
-				$data[AccountManager::PROPERTY_WEBSITE] = ['value' => $website, 'scope' => $websiteScope];
-				$data[AccountManager::PROPERTY_ADDRESS] = ['value' => $address, 'scope' => $addressScope];
-				$data[AccountManager::PROPERTY_PHONE] = ['value' => $phone, 'scope' => $phoneScope];
-				$data[AccountManager::PROPERTY_TWITTER] = ['value' => $twitter, 'scope' => $twitterScope];
-			}
-		}
-
-		try {
-			$this->saveUserSettings($user, $data);
-			return new DataResponse(
-				[
-					'status' => 'success',
-					'data' => [
-						'userId' => $user->getUID(),
-						'avatarScope' => $data[AccountManager::PROPERTY_AVATAR]['scope'],
-						'displayname' => $data[AccountManager::PROPERTY_DISPLAYNAME]['value'],
-						'displaynameScope' => $data[AccountManager::PROPERTY_DISPLAYNAME]['scope'],
-						'email' => $data[AccountManager::PROPERTY_EMAIL]['value'],
-						'emailScope' => $data[AccountManager::PROPERTY_EMAIL]['scope'],
-						'website' => $data[AccountManager::PROPERTY_WEBSITE]['value'],
-						'websiteScope' => $data[AccountManager::PROPERTY_WEBSITE]['scope'],
-						'address' => $data[AccountManager::PROPERTY_ADDRESS]['value'],
-						'addressScope' => $data[AccountManager::PROPERTY_ADDRESS]['scope'],
-						'message' => $this->l10n->t('Settings saved')
-					]
-				],
-				Http::STATUS_OK
-			);
-		} catch (ForbiddenException $e) {
-			return new DataResponse([
-				'status' => 'error',
-				'data' => [
-					'message' => $e->getMessage()
-				],
-			]);
-		}
-
-	}
-
-
-	/**
-	 * update account manager with new user data
-	 *
-	 * @param IUser $user
-	 * @param array $data
-	 * @throws ForbiddenException
-	 */
-	protected function saveUserSettings(IUser $user, array $data) {
-
-		// keep the user back-end up-to-date with the latest display name and email
-		// address
-		$oldDisplayName = $user->getDisplayName();
-		$oldDisplayName = is_null($oldDisplayName) ? '' : $oldDisplayName;
-		if (isset($data[AccountManager::PROPERTY_DISPLAYNAME]['value'])
-			&& $oldDisplayName !== $data[AccountManager::PROPERTY_DISPLAYNAME]['value']
-		) {
-			$result = $user->setDisplayName($data[AccountManager::PROPERTY_DISPLAYNAME]['value']);
-			if ($result === false) {
-				throw new ForbiddenException($this->l10n->t('Unable to change full name'));
-			}
-		}
-
-		$oldEmailAddress = $user->getEMailAddress();
-		$oldEmailAddress = is_null($oldEmailAddress) ? '' : $oldEmailAddress;
-		if (isset($data[AccountManager::PROPERTY_EMAIL]['value'])
-			&& $oldEmailAddress !== $data[AccountManager::PROPERTY_EMAIL]['value']
-		) {
-			// this is the only permission a backend provides and is also used
-			// for the permission of setting a email address
-			if (!$user->canChangeDisplayName()) {
-				throw new ForbiddenException($this->l10n->t('Unable to change email address'));
-			}
-			$user->setEMailAddress($data[AccountManager::PROPERTY_EMAIL]['value']);
-		}
-
-		$this->accountManager->updateUser($user, $data);
-	}
-
-	/**
-	 * Count all unique users visible for the current admin/subadmin.
-	 *
-	 * @NoAdminRequired
-	 *
-	 * @return DataResponse
-	 */
-	public function stats(): DataResponse {
-		$userCount = 0;
-		if ($this->isAdmin) {
-			$countByBackend = $this->userManager->countUsers();
-
-			if (!empty($countByBackend)) {
-				foreach ($countByBackend as $count) {
-					$userCount += $count;
-				}
-			}
-		} else {
-			$groups = $this->groupManager->getSubAdmin()->getSubAdminsGroups($this->userSession->getUser());
-
-			$uniqueUsers = [];
-			foreach ($groups as $group) {
-				foreach ($group->getUsers() as $uid => $displayName) {
-					$uniqueUsers[$uid] = true;
-				}
-			}
-
-			$userCount = count($uniqueUsers);
-		}
-
-		return new DataResponse(
-			[
-				'totalUsers' => $userCount
-			]
-		);
-	}
-
-
-	/**
-	 * Set the displayName of a user
-	 *
-	 * @NoAdminRequired
-	 * @NoSubadminRequired
-	 * @PasswordConfirmationRequired
-	 * @todo merge into saveUserSettings
-	 *
-	 * @param string $username
-	 * @param string $displayName
-	 * @return DataResponse
-	 */
-	public function setDisplayName(string $username, string $displayName) {
-		$currentUser = $this->userSession->getUser();
-		$user = $this->userManager->get($username);
-
-		if ($user === null ||
-			!$user->canChangeDisplayName() ||
-			(
-				!$this->groupManager->isAdmin($currentUser->getUID()) &&
-				!$this->groupManager->getSubAdmin()->isUserAccessible($currentUser, $user) &&
-				$currentUser->getUID() !== $username
-
-			)
-		) {
-			return new DataResponse([
-				'status' => 'error',
-				'data' => [
-					'message' => $this->l10n->t('Authentication error'),
-				],
-			]);
-		}
-
-		$userData = $this->accountManager->getUser($user);
-		$userData[AccountManager::PROPERTY_DISPLAYNAME]['value'] = $displayName;
-
-
-		try {
-			$this->saveUserSettings($user, $userData);
-			return new DataResponse([
-				'status' => 'success',
-				'data' => [
-					'message' => $this->l10n->t('Your full name has been changed.'),
-					'username' => $username,
-					'displayName' => $displayName,
-				],
-			]);
-		} catch (ForbiddenException $e) {
-			return new DataResponse([
-				'status' => 'error',
-				'data' => [
-					'message' => $e->getMessage(),
-					'displayName' => $user->getDisplayName(),
-				],
-			]);
-		}
-	}
-
-	/**
-	 * Set the mail address of a user
-	 *
-	 * @NoAdminRequired
-	 * @NoSubadminRequired
-	 * @PasswordConfirmationRequired
-	 *
-	 * @param string $id
-	 * @param string $mailAddress
-	 * @return DataResponse
-	 */
-	public function setEMailAddress(string $id, string $mailAddress) {
-		$user = $this->userManager->get($id);
-		if (!$this->isAdmin
-			&& !$this->groupManager->getSubAdmin()->isUserAccessible($this->userSession->getUser(), $user)
-		) {
-			return new DataResponse(
-				[
-					'status' => 'error',
-					'data' => [
-						'message' => $this->l10n->t('Forbidden')
-					]
-				],
-				Http::STATUS_FORBIDDEN
-			);
-		}
-
-		if ($mailAddress !== '' && !$this->mailer->validateMailAddress($mailAddress)) {
-			return new DataResponse(
-				[
-					'status' => 'error',
-					'data' => [
-						'message' => $this->l10n->t('Invalid mail address')
-					]
-				],
-				Http::STATUS_UNPROCESSABLE_ENTITY
-			);
-		}
-
-		if (!$user) {
-			return new DataResponse(
-				[
-					'status' => 'error',
-					'data' => [
-						'message' => $this->l10n->t('Invalid user')
-					]
-				],
-				Http::STATUS_UNPROCESSABLE_ENTITY
-			);
-		}
-		// this is the only permission a backend provides and is also used
-		// for the permission of setting a email address
-		if (!$user->canChangeDisplayName()) {
-			return new DataResponse(
-				[
-					'status' => 'error',
-					'data' => [
-						'message' => $this->l10n->t('Unable to change mail address')
-					]
-				],
-				Http::STATUS_FORBIDDEN
-			);
-		}
-
-		$userData = $this->accountManager->getUser($user);
-		$userData[AccountManager::PROPERTY_EMAIL]['value'] = $mailAddress;
-
-		try {
-			$this->saveUserSettings($user, $userData);
-			return new DataResponse(
-				[
-					'status' => 'success',
-					'data' => [
-						'username' => $id,
-						'mailAddress' => $mailAddress,
-						'message' => $this->l10n->t('Email saved')
-					]
-				],
-				Http::STATUS_OK
-			);
-		} catch (ForbiddenException $e) {
-			return new DataResponse([
-				'status' => 'error',
-				'data' => [
-					'message' => $e->getMessage()
-				],
-			]);
-		}
-	}
+    /** @var IL10N */
+    private $l10n;
+    /** @var IUserSession */
+    private $userSession;
+    /** @var bool */
+    private $isAdmin;
+    /** @var IUserManager */
+    private $userManager;
+    /** @var IGroupManager */
+    private $groupManager;
+    /** @var IConfig */
+    private $config;
+    /** @var ILogger */
+    private $log;
+    /** @var IMailer */
+    private $mailer;
+    /** @var bool contains the state of the encryption app */
+    private $isEncryptionAppEnabled;
+    /** @var bool contains the state of the admin recovery setting */
+    private $isRestoreEnabled = false;
+    /** @var IAppManager */
+    private $appManager;
+    /** @var IAvatarManager */
+    private $avatarManager;
+    /** @var AccountManager */
+    private $accountManager;
+    /** @var ISecureRandom */
+    private $secureRandom;
+    /** @var NewUserMailHelper */
+    private $newUserMailHelper;
+    /** @var Manager */
+    private $keyManager;
+    /** @var IJobList */
+    private $jobList;
+
+    /** @var IUserMountCache */
+    private $userMountCache;
+
+    /** @var IManager */
+    private $encryptionManager;
+
+    public function __construct(string $appName,
+                                IRequest $request,
+                                IUserManager $userManager,
+                                IGroupManager $groupManager,
+                                IUserSession $userSession,
+                                IConfig $config,
+                                bool $isAdmin,
+                                IL10N $l10n,
+                                ILogger $log,
+                                IMailer $mailer,
+                                IURLGenerator $urlGenerator,
+                                IAppManager $appManager,
+                                IAvatarManager $avatarManager,
+                                AccountManager $accountManager,
+                                ISecureRandom $secureRandom,
+                                NewUserMailHelper $newUserMailHelper,
+                                Manager $keyManager,
+                                IJobList $jobList,
+                                IUserMountCache $userMountCache,
+                                IManager $encryptionManager) {
+        parent::__construct($appName, $request);
+        $this->userManager = $userManager;
+        $this->groupManager = $groupManager;
+        $this->userSession = $userSession;
+        $this->config = $config;
+        $this->isAdmin = $isAdmin;
+        $this->l10n = $l10n;
+        $this->log = $log;
+        $this->mailer = $mailer;
+        $this->appManager = $appManager;
+        $this->avatarManager = $avatarManager;
+        $this->accountManager = $accountManager;
+        $this->secureRandom = $secureRandom;
+        $this->newUserMailHelper = $newUserMailHelper;
+        $this->keyManager = $keyManager;
+        $this->jobList = $jobList;
+        $this->userMountCache = $userMountCache;
+        $this->encryptionManager = $encryptionManager;
+
+        // check for encryption state - TODO see formatUserForIndex
+        $this->isEncryptionAppEnabled = $appManager->isEnabledForUser('encryption');
+        if ($this->isEncryptionAppEnabled) {
+            // putting this directly in empty is possible in PHP 5.5+
+            $result = $config->getAppValue('encryption', 'recoveryAdminEnabled', '0');
+            $this->isRestoreEnabled = !empty($result);
+        }
+    }
+
+    /**
+     * @param IUser $user
+     * @param array|null $userGroups
+     * @return array
+     */
+    private function formatUserForIndex(IUser $user, array $userGroups = null): array {
+
+        // TODO: eliminate this encryption specific code below and somehow
+        // hook in additional user info from other apps
+
+        // recovery isn't possible if admin or user has it disabled and encryption
+        // is enabled - so we eliminate the else paths in the conditional tree
+        // below
+        $restorePossible = false;
+
+        if ($this->isEncryptionAppEnabled) {
+            if ($this->isRestoreEnabled) {
+                // check for the users recovery setting
+                $recoveryMode = $this->config->getUserValue($user->getUID(), 'encryption', 'recoveryEnabled', '0');
+                // method call inside empty is possible with PHP 5.5+
+                $recoveryModeEnabled = !empty($recoveryMode);
+                if ($recoveryModeEnabled) {
+                    // user also has recovery mode enabled
+                    $restorePossible = true;
+                }
+            } else {
+                $modules = $this->encryptionManager->getEncryptionModules();
+                $restorePossible = true;
+                foreach ($modules as $id => $module) {
+                    /* @var IEncryptionModule $instance */
+                    $instance = call_user_func($module['callback']);
+                    if ($instance->needDetailedAccessList()) {
+                        $restorePossible = false;
+                        break;
+                    }
+                }
+            }
+        } else {
+            // recovery is possible if encryption is disabled (plain files are
+            // available)
+            $restorePossible = true;
+        }
+
+        $subAdminGroups = $this->groupManager->getSubAdmin()->getSubAdminsGroupsName($user);
+
+        $displayName = $user->getEMailAddress();
+        if (is_null($displayName)) {
+            $displayName = '';
+        }
+
+        $avatarAvailable = false;
+        try {
+            $avatarAvailable = $this->avatarManager->getAvatar($user->getUID())->exists();
+        } catch (\Exception $e) {
+            //No avatar yet
+        }
+
+        return [
+            'name' => $user->getUID(),
+            'displayname' => $user->getDisplayName(),
+            'groups' => empty($userGroups) ? $this->groupManager->getUserGroupNames($user) : $userGroups,
+            'subadmin' => $subAdminGroups,
+            'quota' => $user->getQuota(),
+            'quota_bytes' => Util::computerFileSize($user->getQuota()),
+            'storageLocation' => $user->getHome(),
+            'lastLogin' => $user->getLastLogin() * 1000,
+            'backend' => $user->getBackendClassName(),
+            'email' => $displayName,
+            'isRestoreDisabled' => !$restorePossible,
+            'isAvatarAvailable' => $avatarAvailable,
+            'isEnabled' => $user->isEnabled(),
+        ];
+    }
+
+    /**
+     * @param array $userIDs Array with schema [$uid => $displayName]
+     * @return IUser[]
+     */
+    private function getUsersForUID(array $userIDs): array {
+        $users = [];
+        foreach ($userIDs as $uid => $displayName) {
+            $users[$uid] = $this->userManager->get($uid);
+        }
+        return $users;
+    }
+
+    /**
+     * @NoAdminRequired
+     *
+     * @param int $offset
+     * @param int $limit
+     * @param string $gid GID to filter for
+     * @param string $pattern Pattern to search for in the username
+     * @param string $backend Backend to filter for (class-name)
+     * @return DataResponse
+     *
+     * TODO: Tidy up and write unit tests - code is mainly static method calls
+     */
+    public function index(int $offset = 0, int $limit = 10, string $gid = '', string $pattern = '', string $backend = ''): DataResponse {
+        // Remove backends
+        if (!empty($backend)) {
+            $activeBackends = $this->userManager->getBackends();
+            $this->userManager->clearBackends();
+            foreach ($activeBackends as $singleActiveBackend) {
+                if ($backend === get_class($singleActiveBackend)) {
+                    $this->userManager->registerBackend($singleActiveBackend);
+                    break;
+                }
+            }
+        }
+
+        $userObjects = [];
+        $users = [];
+        if ($this->isAdmin) {
+            if ($gid !== '' && $gid !== '_disabledUsers' && $gid !== '_everyone') {
+                $batch = $this->getUsersForUID($this->groupManager->displayNamesInGroup($gid, $pattern, $limit, $offset));
+            } else {
+                $batch = $this->userManager->search($pattern, $limit, $offset);
+            }
+
+            foreach ($batch as $user) {
+                if (($gid !== '_disabledUsers' && $user->isEnabled()) ||
+                    ($gid === '_disabledUsers' && !$user->isEnabled())
+                ) {
+                    $userObjects[] = $user;
+                    $users[] = $this->formatUserForIndex($user);
+                }
+            }
+
+        } else {
+            $subAdminOfGroups = $this->groupManager->getSubAdmin()->getSubAdminsGroups($this->userSession->getUser());
+            // New class returns IGroup[] so convert back
+            $gids = [];
+            foreach ($subAdminOfGroups as $group) {
+                $gids[] = $group->getGID();
+            }
+            $subAdminOfGroups = $gids;
+
+            // Set the $gid parameter to an empty value if the subadmin has no rights to access a specific group
+            if ($gid !== '' && $gid !== '_disabledUsers' && !in_array($gid, $subAdminOfGroups)) {
+                $gid = '';
+            }
+
+            // Batch all groups the user is subadmin of when a group is specified
+            $batch = [];
+            if ($gid !== '' && $gid !== '_disabledUsers' && $gid !== '_everyone') {
+                $batch = $this->groupManager->displayNamesInGroup($gid, $pattern, $limit, $offset);
+            } else {
+                foreach ($subAdminOfGroups as $group) {
+                    $groupUsers = $this->groupManager->displayNamesInGroup($group, $pattern, $limit, $offset);
+
+                    foreach ($groupUsers as $uid => $displayName) {
+                        $batch[$uid] = $displayName;
+                    }
+                }
+            }
+            $batch = $this->getUsersForUID($batch);
+
+            foreach ($batch as $user) {
+                // Only add the groups, this user is a subadmin of
+                $userGroups = array_values(array_intersect(
+                    $this->groupManager->getUserGroupIds($user),
+                    $subAdminOfGroups
+                ));
+                if (($gid !== '_disabledUsers' && $user->isEnabled()) ||
+                    ($gid === '_disabledUsers' && !$user->isEnabled())
+                ) {
+                    $userObjects[] = $user;
+                    $users[] = $this->formatUserForIndex($user, $userGroups);
+                }
+            }
+        }
+
+        $usedSpace = $this->userMountCache->getUsedSpaceForUsers($userObjects);
+
+        foreach ($users as &$userData) {
+            $userData['size'] = isset($usedSpace[$userData['name']]) ? $usedSpace[$userData['name']] : 0;
+        }
+
+        return new DataResponse($users);
+    }
+
+    /**
+     * @NoAdminRequired
+     * @PasswordConfirmationRequired
+     *
+     * @param string $username
+     * @param string $password
+     * @param array $groups
+     * @param string $email
+     * @return DataResponse
+     */
+    public function create(string $username, string $password, array $groups = [], $email = ''): DataResponse {
+        if ($email !== '' && !$this->mailer->validateMailAddress($email)) {
+            return new DataResponse(
+                [
+                    'message' => $this->l10n->t('Invalid mail address')
+                ],
+                Http::STATUS_UNPROCESSABLE_ENTITY
+            );
+        }
+
+        $currentUser = $this->userSession->getUser();
+
+        if (!$this->isAdmin) {
+            if (!empty($groups)) {
+                foreach ($groups as $key => $group) {
+                    $groupObject = $this->groupManager->get($group);
+                    if ($groupObject === null) {
+                        unset($groups[$key]);
+                        continue;
+                    }
+
+                    if (!$this->groupManager->getSubAdmin()->isSubAdminOfGroup($currentUser, $groupObject)) {
+                        unset($groups[$key]);
+                    }
+                }
+            }
+
+            if (empty($groups)) {
+                return new DataResponse(
+                    [
+                        'message' => $this->l10n->t('No valid group selected'),
+                    ],
+                    Http::STATUS_FORBIDDEN
+                );
+            }
+        }
+
+        if ($this->userManager->userExists($username)) {
+            return new DataResponse(
+                [
+                    'message' => $this->l10n->t('A user with that name already exists.')
+                ],
+                Http::STATUS_CONFLICT
+            );
+        }
+
+        $generatePasswordResetToken = false;
+        if ($password === '') {
+            if ($email === '') {
+                return new DataResponse(
+                    [
+                        'message' => $this->l10n->t('To send a password link to the user an email address is required.')
+                    ],
+                    Http::STATUS_UNPROCESSABLE_ENTITY
+                );
+            }
+
+            $password = $this->secureRandom->generate(30);
+            // Make sure we pass the password_policy
+            $password .= $this->secureRandom->generate(2, '$!.,;:-~+*[]{}()');
+            $generatePasswordResetToken = true;
+        }
+
+        try {
+            $user = $this->userManager->createUser($username, $password);
+        } catch (\Exception $exception) {
+            $message = $exception->getMessage();
+            if ($exception instanceof HintException && $exception->getHint()) {
+                $message = $exception->getHint();
+            }
+            if (!$message) {
+                $message = $this->l10n->t('Unable to create user.');
+            }
+            return new DataResponse(
+                [
+                    'message' => (string)$message,
+                ],
+                Http::STATUS_FORBIDDEN
+            );
+        }
+
+        if ($user instanceof IUser) {
+            if ($groups !== null) {
+                foreach ($groups as $groupName) {
+                    $group = $this->groupManager->get($groupName);
+
+                    if (empty($group)) {
+                        $group = $this->groupManager->createGroup($groupName);
+                    }
+                    $group->addUser($user);
+                }
+            }
+            /**
+             * Send new user mail only if a mail is set
+             */
+            if ($email !== '') {
+                $user->setEMailAddress($email);
+                try {
+                    $emailTemplate = $this->newUserMailHelper->generateTemplate($user, $generatePasswordResetToken);
+                    $this->newUserMailHelper->sendMail($user, $emailTemplate);
+                } catch (\Exception $e) {
+                    $this->log->logException($e, [
+                        'message' => "Can't send new user mail to $email",
+                        'level' => \OCP\Util::ERROR,
+                        'app' => 'settings',
+                    ]);
+                }
+            }
+            // fetch users groups
+            $userGroups = $this->groupManager->getUserGroupNames($user);
+
+            return new DataResponse(
+                $this->formatUserForIndex($user, $userGroups),
+                Http::STATUS_CREATED
+            );
+        }
+
+        return new DataResponse(
+            [
+                'message' => $this->l10n->t('Unable to create user.')
+            ],
+            Http::STATUS_FORBIDDEN
+        );
+
+    }
+
+    /**
+     * @NoAdminRequired
+     * @PasswordConfirmationRequired
+     *
+     * @param string $id
+     * @return DataResponse
+     */
+    public function destroy(string $id): DataResponse {
+        $userId = $this->userSession->getUser()->getUID();
+        $user = $this->userManager->get($id);
+
+        if ($userId === $id) {
+            return new DataResponse(
+                [
+                    'status' => 'error',
+                    'data' => [
+                        'message' => $this->l10n->t('Unable to delete user.')
+                    ]
+                ],
+                Http::STATUS_FORBIDDEN
+            );
+        }
+
+        if (!$this->isAdmin && !$this->groupManager->getSubAdmin()->isUserAccessible($this->userSession->getUser(), $user)) {
+            return new DataResponse(
+                [
+                    'status' => 'error',
+                    'data' => [
+                        'message' => $this->l10n->t('Authentication error')
+                    ]
+                ],
+                Http::STATUS_FORBIDDEN
+            );
+        }
+
+        if ($user && $user->delete()) {
+            return new DataResponse(
+                [
+                    'status' => 'success',
+                    'data' => [
+                        'username' => $id
+                    ]
+                ],
+                Http::STATUS_NO_CONTENT
+            );
+        }
+
+        return new DataResponse(
+            [
+                'status' => 'error',
+                'data' => [
+                    'message' => $this->l10n->t('Unable to delete user.')
+                ]
+            ],
+            Http::STATUS_FORBIDDEN
+        );
+    }
+
+    /**
+     * @NoAdminRequired
+     *
+     * @param string $id
+     * @param int $enabled
+     * @return DataResponse
+     */
+    public function setEnabled(string $id, int $enabled): DataResponse {
+        $enabled = (bool)$enabled;
+        if ($enabled) {
+            $errorMsgGeneral = $this->l10n->t('Error while enabling user.');
+        } else {
+            $errorMsgGeneral = $this->l10n->t('Error while disabling user.');
+        }
+
+        $userId = $this->userSession->getUser()->getUID();
+        $user = $this->userManager->get($id);
+
+        if ($userId === $id) {
+            return new DataResponse(
+                [
+                    'status' => 'error',
+                    'data' => [
+                        'message' => $errorMsgGeneral
+                    ]
+                ], Http::STATUS_FORBIDDEN
+            );
+        }
+
+        if ($user) {
+            if (!$this->isAdmin && !$this->groupManager->getSubAdmin()->isUserAccessible($this->userSession->getUser(), $user)) {
+                return new DataResponse(
+                    [
+                        'status' => 'error',
+                        'data' => [
+                            'message' => $this->l10n->t('Authentication error')
+                        ]
+                    ],
+                    Http::STATUS_FORBIDDEN
+                );
+            }
+
+            $user->setEnabled($enabled);
+            return new DataResponse(
+                [
+                    'status' => 'success',
+                    'data' => [
+                        'username' => $id,
+                        'enabled' => $enabled
+                    ]
+                ]
+            );
+        } else {
+            return new DataResponse(
+                [
+                    'status' => 'error',
+                    'data' => [
+                        'message' => $errorMsgGeneral
+                    ]
+                ],
+                Http::STATUS_FORBIDDEN
+            );
+        }
+
+    }
+
+    /**
+     * Set the mail address of a user
+     *
+     * @NoAdminRequired
+     * @NoSubadminRequired
+     * @PasswordConfirmationRequired
+     *
+     * @param string $account
+     * @param bool $onlyVerificationCode only return verification code without updating the data
+     * @return DataResponse
+     */
+    public function getVerificationCode(string $account, bool $onlyVerificationCode): DataResponse {
+
+        $user = $this->userSession->getUser();
+
+        if ($user === null) {
+            return new DataResponse([], Http::STATUS_BAD_REQUEST);
+        }
+
+        $accountData = $this->accountManager->getUser($user);
+        $cloudId = $user->getCloudId();
+        $message = 'Use my Federated Cloud ID to share with me: ' . $cloudId;
+        $signature = $this->signMessage($user, $message);
+
+        $code = $message . ' ' . $signature;
+        $codeMd5 = $message . ' ' . md5($signature);
+
+        switch ($account) {
+            case 'verify-twitter':
+                $accountData[AccountManager::PROPERTY_TWITTER]['verified'] = AccountManager::VERIFICATION_IN_PROGRESS;
+                $msg = $this->l10n->t('In order to verify your Twitter account, post the following tweet on Twitter (please make sure to post it without any line breaks):');
+                $code = $codeMd5;
+                $type = AccountManager::PROPERTY_TWITTER;
+                $data = $accountData[AccountManager::PROPERTY_TWITTER]['value'];
+                $accountData[AccountManager::PROPERTY_TWITTER]['signature'] = $signature;
+                break;
+            case 'verify-website':
+                $accountData[AccountManager::PROPERTY_WEBSITE]['verified'] = AccountManager::VERIFICATION_IN_PROGRESS;
+                $msg = $this->l10n->t('In order to verify your Website, store the following content in your web-root at \'.well-known/CloudIdVerificationCode.txt\' (please make sure that the complete text is in one line):');
+                $type = AccountManager::PROPERTY_WEBSITE;
+                $data = $accountData[AccountManager::PROPERTY_WEBSITE]['value'];
+                $accountData[AccountManager::PROPERTY_WEBSITE]['signature'] = $signature;
+                break;
+            default:
+                return new DataResponse([], Http::STATUS_BAD_REQUEST);
+        }
+
+        if ($onlyVerificationCode === false) {
+            $this->accountManager->updateUser($user, $accountData);
+
+            $this->jobList->add(VerifyUserData::class,
+                [
+                    'verificationCode' => $code,
+                    'data' => $data,
+                    'type' => $type,
+                    'uid' => $user->getUID(),
+                    'try' => 0,
+                    'lastRun' => $this->getCurrentTime()
+                ]
+            );
+        }
+
+        return new DataResponse(['msg' => $msg, 'code' => $code]);
+    }
+
+    /**
+     * get current timestamp
+     *
+     * @return int
+     */
+    protected function getCurrentTime(): int {
+        return time();
+    }
+
+    /**
+     * sign message with users private key
+     *
+     * @param IUser $user
+     * @param string $message
+     *
+     * @return string base64 encoded signature
+     */
+    protected function signMessage(IUser $user, string $message): string {
+        $privateKey = $this->keyManager->getKey($user)->getPrivate();
+        openssl_sign(json_encode($message), $signature, $privateKey, OPENSSL_ALGO_SHA512);
+        return base64_encode($signature);
+    }
+
+    /**
+     * @NoAdminRequired
+     * @NoSubadminRequired
+     * @PasswordConfirmationRequired
+     *
+     * @param string $avatarScope
+     * @param string $displayname
+     * @param string $displaynameScope
+     * @param string $phone
+     * @param string $phoneScope
+     * @param string $email
+     * @param string $emailScope
+     * @param string $website
+     * @param string $websiteScope
+     * @param string $address
+     * @param string $addressScope
+     * @param string $twitter
+     * @param string $twitterScope
+     * @return DataResponse
+     */
+    public function setUserSettings($avatarScope,
+                                    $displayname,
+                                    $displaynameScope,
+                                    $phone,
+                                    $phoneScope,
+                                    $email,
+                                    $emailScope,
+                                    $website,
+                                    $websiteScope,
+                                    $address,
+                                    $addressScope,
+                                    $twitter,
+                                    $twitterScope
+    ) {
+
+        if (!empty($email) && !$this->mailer->validateMailAddress($email)) {
+            return new DataResponse(
+                [
+                    'status' => 'error',
+                    'data' => [
+                        'message' => $this->l10n->t('Invalid mail address')
+                    ]
+                ],
+                Http::STATUS_UNPROCESSABLE_ENTITY
+            );
+        }
+
+        $user = $this->userSession->getUser();
+
+        $data = $this->accountManager->getUser($user);
+
+        $data[AccountManager::PROPERTY_AVATAR] = ['scope' => $avatarScope];
+        if ($this->config->getSystemValue('allow_user_to_change_display_name', true) !== false) {
+            $data[AccountManager::PROPERTY_DISPLAYNAME] = ['value' => $displayname, 'scope' => $displaynameScope];
+            $data[AccountManager::PROPERTY_EMAIL] = ['value' => $email, 'scope' => $emailScope];
+        }
+
+        if ($this->appManager->isEnabledForUser('federatedfilesharing')) {
+            $federatedFileSharing = new \OCA\FederatedFileSharing\AppInfo\Application();
+            $shareProvider = $federatedFileSharing->getFederatedShareProvider();
+            if ($shareProvider->isLookupServerUploadEnabled()) {
+                $data[AccountManager::PROPERTY_WEBSITE] = ['value' => $website, 'scope' => $websiteScope];
+                $data[AccountManager::PROPERTY_ADDRESS] = ['value' => $address, 'scope' => $addressScope];
+                $data[AccountManager::PROPERTY_PHONE] = ['value' => $phone, 'scope' => $phoneScope];
+                $data[AccountManager::PROPERTY_TWITTER] = ['value' => $twitter, 'scope' => $twitterScope];
+            }
+        }
+
+        try {
+            $this->saveUserSettings($user, $data);
+            return new DataResponse(
+                [
+                    'status' => 'success',
+                    'data' => [
+                        'userId' => $user->getUID(),
+                        'avatarScope' => $data[AccountManager::PROPERTY_AVATAR]['scope'],
+                        'displayname' => $data[AccountManager::PROPERTY_DISPLAYNAME]['value'],
+                        'displaynameScope' => $data[AccountManager::PROPERTY_DISPLAYNAME]['scope'],
+                        'email' => $data[AccountManager::PROPERTY_EMAIL]['value'],
+                        'emailScope' => $data[AccountManager::PROPERTY_EMAIL]['scope'],
+                        'website' => $data[AccountManager::PROPERTY_WEBSITE]['value'],
+                        'websiteScope' => $data[AccountManager::PROPERTY_WEBSITE]['scope'],
+                        'address' => $data[AccountManager::PROPERTY_ADDRESS]['value'],
+                        'addressScope' => $data[AccountManager::PROPERTY_ADDRESS]['scope'],
+                        'message' => $this->l10n->t('Settings saved')
+                    ]
+                ],
+                Http::STATUS_OK
+            );
+        } catch (ForbiddenException $e) {
+            return new DataResponse([
+                'status' => 'error',
+                'data' => [
+                    'message' => $e->getMessage()
+                ],
+            ]);
+        }
+
+    }
+
+
+    /**
+     * update account manager with new user data
+     *
+     * @param IUser $user
+     * @param array $data
+     * @throws ForbiddenException
+     */
+    protected function saveUserSettings(IUser $user, array $data) {
+
+        // keep the user back-end up-to-date with the latest display name and email
+        // address
+        $oldDisplayName = $user->getDisplayName();
+        $oldDisplayName = is_null($oldDisplayName) ? '' : $oldDisplayName;
+        if (isset($data[AccountManager::PROPERTY_DISPLAYNAME]['value'])
+            && $oldDisplayName !== $data[AccountManager::PROPERTY_DISPLAYNAME]['value']
+        ) {
+            $result = $user->setDisplayName($data[AccountManager::PROPERTY_DISPLAYNAME]['value']);
+            if ($result === false) {
+                throw new ForbiddenException($this->l10n->t('Unable to change full name'));
+            }
+        }
+
+        $oldEmailAddress = $user->getEMailAddress();
+        $oldEmailAddress = is_null($oldEmailAddress) ? '' : $oldEmailAddress;
+        if (isset($data[AccountManager::PROPERTY_EMAIL]['value'])
+            && $oldEmailAddress !== $data[AccountManager::PROPERTY_EMAIL]['value']
+        ) {
+            // this is the only permission a backend provides and is also used
+            // for the permission of setting a email address
+            if (!$user->canChangeDisplayName()) {
+                throw new ForbiddenException($this->l10n->t('Unable to change email address'));
+            }
+            $user->setEMailAddress($data[AccountManager::PROPERTY_EMAIL]['value']);
+        }
+
+        $this->accountManager->updateUser($user, $data);
+    }
+
+    /**
+     * Count all unique users visible for the current admin/subadmin.
+     *
+     * @NoAdminRequired
+     *
+     * @return DataResponse
+     */
+    public function stats(): DataResponse {
+        $userCount = 0;
+        if ($this->isAdmin) {
+            $countByBackend = $this->userManager->countUsers();
+
+            if (!empty($countByBackend)) {
+                foreach ($countByBackend as $count) {
+                    $userCount += $count;
+                }
+            }
+        } else {
+            $groups = $this->groupManager->getSubAdmin()->getSubAdminsGroups($this->userSession->getUser());
+
+            $uniqueUsers = [];
+            foreach ($groups as $group) {
+                foreach ($group->getUsers() as $uid => $displayName) {
+                    $uniqueUsers[$uid] = true;
+                }
+            }
+
+            $userCount = count($uniqueUsers);
+        }
+
+        return new DataResponse(
+            [
+                'totalUsers' => $userCount
+            ]
+        );
+    }
+
+
+    /**
+     * Set the displayName of a user
+     *
+     * @NoAdminRequired
+     * @NoSubadminRequired
+     * @PasswordConfirmationRequired
+     * @todo merge into saveUserSettings
+     *
+     * @param string $username
+     * @param string $displayName
+     * @return DataResponse
+     */
+    public function setDisplayName(string $username, string $displayName) {
+        $currentUser = $this->userSession->getUser();
+        $user = $this->userManager->get($username);
+
+        if ($user === null ||
+            !$user->canChangeDisplayName() ||
+            (
+                !$this->groupManager->isAdmin($currentUser->getUID()) &&
+                !$this->groupManager->getSubAdmin()->isUserAccessible($currentUser, $user) &&
+                $currentUser->getUID() !== $username
+
+            )
+        ) {
+            return new DataResponse([
+                'status' => 'error',
+                'data' => [
+                    'message' => $this->l10n->t('Authentication error'),
+                ],
+            ]);
+        }
+
+        $userData = $this->accountManager->getUser($user);
+        $userData[AccountManager::PROPERTY_DISPLAYNAME]['value'] = $displayName;
+
+
+        try {
+            $this->saveUserSettings($user, $userData);
+            return new DataResponse([
+                'status' => 'success',
+                'data' => [
+                    'message' => $this->l10n->t('Your full name has been changed.'),
+                    'username' => $username,
+                    'displayName' => $displayName,
+                ],
+            ]);
+        } catch (ForbiddenException $e) {
+            return new DataResponse([
+                'status' => 'error',
+                'data' => [
+                    'message' => $e->getMessage(),
+                    'displayName' => $user->getDisplayName(),
+                ],
+            ]);
+        }
+    }
+
+    /**
+     * Set the mail address of a user
+     *
+     * @NoAdminRequired
+     * @NoSubadminRequired
+     * @PasswordConfirmationRequired
+     *
+     * @param string $id
+     * @param string $mailAddress
+     * @return DataResponse
+     */
+    public function setEMailAddress(string $id, string $mailAddress) {
+        $user = $this->userManager->get($id);
+        if (!$this->isAdmin
+            && !$this->groupManager->getSubAdmin()->isUserAccessible($this->userSession->getUser(), $user)
+        ) {
+            return new DataResponse(
+                [
+                    'status' => 'error',
+                    'data' => [
+                        'message' => $this->l10n->t('Forbidden')
+                    ]
+                ],
+                Http::STATUS_FORBIDDEN
+            );
+        }
+
+        if ($mailAddress !== '' && !$this->mailer->validateMailAddress($mailAddress)) {
+            return new DataResponse(
+                [
+                    'status' => 'error',
+                    'data' => [
+                        'message' => $this->l10n->t('Invalid mail address')
+                    ]
+                ],
+                Http::STATUS_UNPROCESSABLE_ENTITY
+            );
+        }
+
+        if (!$user) {
+            return new DataResponse(
+                [
+                    'status' => 'error',
+                    'data' => [
+                        'message' => $this->l10n->t('Invalid user')
+                    ]
+                ],
+                Http::STATUS_UNPROCESSABLE_ENTITY
+            );
+        }
+        // this is the only permission a backend provides and is also used
+        // for the permission of setting a email address
+        if (!$user->canChangeDisplayName()) {
+            return new DataResponse(
+                [
+                    'status' => 'error',
+                    'data' => [
+                        'message' => $this->l10n->t('Unable to change mail address')
+                    ]
+                ],
+                Http::STATUS_FORBIDDEN
+            );
+        }
+
+        $userData = $this->accountManager->getUser($user);
+        $userData[AccountManager::PROPERTY_EMAIL]['value'] = $mailAddress;
+
+        try {
+            $this->saveUserSettings($user, $userData);
+            return new DataResponse(
+                [
+                    'status' => 'success',
+                    'data' => [
+                        'username' => $id,
+                        'mailAddress' => $mailAddress,
+                        'message' => $this->l10n->t('Email saved')
+                    ]
+                ],
+                Http::STATUS_OK
+            );
+        } catch (ForbiddenException $e) {
+            return new DataResponse([
+                'status' => 'error',
+                'data' => [
+                    'message' => $e->getMessage()
+                ],
+            ]);
+        }
+    }
 
 }